Re: [edk2-devel] [edk2-platform][patch] FitGen: Add FIT spec revision in FitGen tool help message
Reviewed-by: Bob Feng
-Original Message-
From: Gao, Liming
Sent: Friday, February 14, 2020 3:51 PM
To: devel@edk2.groups.io
Cc: Feng, Bob C ; Lohr, Paul A
Subject: [edk2-platform][patch] FitGen: Add FIT spec revision in FitGen tool
help message
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2483
Signed-off-by: Liming Gao
Cc: Bob Feng
Cc: Paul Lohr
---
Silicon/Intel/Tools/FitGen/FitGen.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Silicon/Intel/Tools/FitGen/FitGen.c
b/Silicon/Intel/Tools/FitGen/FitGen.c
index 8122c10ebb..2ed636093a 100644
--- a/Silicon/Intel/Tools/FitGen/FitGen.c
+++ b/Silicon/Intel/Tools/FitGen/FitGen.c
@@ -294,7 +294,7 @@ Returns:
--*/
{
printf (
-"%s - Tiano IA32/X64 FIT table generation Utility."" Version %i.%i\n\n",
+"%s - Tiano IA32/X64 FIT table generation Utility for FIT spec revision
1.1."" Version %i.%i\n\n",
UTILITY_NAME,
UTILITY_MAJOR_VERSION,
UTILITY_MINOR_VERSION
--
2.13.0.windows.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#54430): https://edk2.groups.io/g/devel/message/54430
Mute This Topic: https://groups.io/mt/71265173/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [edk2-platform][patch] FitGen: Add FIT spec revision in FitGen tool help message
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2483
Signed-off-by: Liming Gao
Cc: Bob Feng
Cc: Paul Lohr
---
Silicon/Intel/Tools/FitGen/FitGen.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Silicon/Intel/Tools/FitGen/FitGen.c
b/Silicon/Intel/Tools/FitGen/FitGen.c
index 8122c10ebb..2ed636093a 100644
--- a/Silicon/Intel/Tools/FitGen/FitGen.c
+++ b/Silicon/Intel/Tools/FitGen/FitGen.c
@@ -294,7 +294,7 @@ Returns:
--*/
{
printf (
-"%s - Tiano IA32/X64 FIT table generation Utility."" Version %i.%i\n\n",
+"%s - Tiano IA32/X64 FIT table generation Utility for FIT spec revision
1.1."" Version %i.%i\n\n",
UTILITY_NAME,
UTILITY_MAJOR_VERSION,
UTILITY_MINOR_VERSION
--
2.13.0.windows.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#54429): https://edk2.groups.io/g/devel/message/54429
Mute This Topic: https://groups.io/mt/71265173/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v2 06/10] SecurityPkg/DxeImageVerificationLib: Differentiate error/search result (1)(CVE-2019-14575)
Reviewed-by: Jiewen Yao
> -Original Message-
> From: Wang, Jian J
> Sent: Friday, February 14, 2020 3:28 PM
> To: devel@edk2.groups.io
> Cc: Yao, Jiewen ; Zhang, Chao B
> ; Laszlo Ersek
> Subject: [PATCH v2 06/10] SecurityPkg/DxeImageVerificationLib: Differentiate
> error/search result (1)(CVE-2019-14575)
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608
>
> To avoid false-negative issue in check hash against dbx, both error
> condition (as return value) and check result (as out parameter) of
> IsCertHashFoundInDatabase() are added. So the caller of this function
> will know exactly if a failure is caused by a black list hit or
> other error happening, and enforce a more secure operation to prevent
> secure boot from being bypassed. For a white list check (db), there's
> no such necessity.
>
> Cc: Jiewen Yao
> Cc: Chao Zhang
> Signed-off-by: Jian J Wang
> Signed-off-by: Laszlo Ersek
> ---
> .../DxeImageVerificationLib.c | 64 ---
> 1 file changed, 42 insertions(+), 22 deletions(-)
>
> diff --git
> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> index 8739d1fa29..85261ba7f2 100644
> --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> @@ -822,22 +822,23 @@ AddImageExeInfo (
>@param[in] SignatureList Pointer to the Signature List in forbidden
> database.
>
>@param[in] SignatureListSize Size of Signature List.
>
>@param[out] RevocationTimeReturn the time that the certificate was
> revoked.
>
> + @param[out] IsFound Search result. Only valid if EFI_SUCCESS
> returned.
>
>
>
> - @return TRUE The certificate hash is found in the forbidden database.
>
> - @return FALSE The certificate hash is not found in the forbidden database.
>
> + @retval EFI_SUCCESS Finished the search without any error.
>
> + @retval OthersError occurred in the search of database.
>
>
>
> **/
>
> -BOOLEAN
>
> +EFI_STATUS
>
> IsCertHashFoundInDatabase (
>
>IN UINT8 *Certificate,
>
>IN UINTN CertSize,
>
>IN EFI_SIGNATURE_LIST *SignatureList,
>
>IN UINTN SignatureListSize,
>
> - OUT EFI_TIME*RevocationTime
>
> + OUT EFI_TIME*RevocationTime,
>
> + OUT BOOLEAN *IsFound
>
>)
>
> {
>
> - BOOLEAN IsFound;
>
> - BOOLEAN Status;
>
> + EFI_STATUS Status;
>
>EFI_SIGNATURE_LIST *DbxList;
>
>UINTN DbxSize;
>
>EFI_SIGNATURE_DATA *CertHash;
>
> @@ -851,21 +852,22 @@ IsCertHashFoundInDatabase (
>UINT8 *TBSCert;
>
>UINTN TBSCertSize;
>
>
>
> - IsFound = FALSE;
>
> + Status = EFI_ABORTED;
>
> + *IsFound = FALSE;
>
>DbxList = SignatureList;
>
>DbxSize = SignatureListSize;
>
>HashCtx = NULL;
>
>HashAlg = HASHALG_MAX;
>
>
>
>if ((RevocationTime == NULL) || (DbxList == NULL)) {
>
> -return FALSE;
>
> +return EFI_INVALID_PARAMETER;
>
>}
>
>
>
>//
>
>// Retrieve the TBSCertificate from the X.509 Certificate.
>
>//
>
>if (!X509GetTBSCert (Certificate, CertSize, , )) {
>
> -return FALSE;
>
> +return Status;
>
>}
>
>
>
>while ((DbxSize > 0) && (SignatureListSize >= DbxList->SignatureListSize))
> {
>
> @@ -895,16 +897,13 @@ IsCertHashFoundInDatabase (
> if (HashCtx == NULL) {
>
>goto Done;
>
> }
>
> -Status = mHash[HashAlg].HashInit (HashCtx);
>
> -if (!Status) {
>
> +if (!mHash[HashAlg].HashInit (HashCtx)) {
>
>goto Done;
>
> }
>
> -Status = mHash[HashAlg].HashUpdate (HashCtx, TBSCert, TBSCertSize);
>
> -if (!Status) {
>
> +if (!mHash[HashAlg].HashUpdate (HashCtx, TBSCert, TBSCertSize)) {
>
>goto Done;
>
> }
>
> -Status = mHash[HashAlg].HashFinal (HashCtx, CertDigest);
>
> -if (!Status) {
>
> +if (!mHash[HashAlg].HashFinal (HashCtx, CertDigest)) {
>
>goto Done;
>
> }
>
>
>
> @@ -923,7 +922,8 @@ IsCertHashFoundInDatabase (
> //
>
> // Hash of Certificate is found in forbidden database.
>
> //
>
> -IsFound = TRUE;
>
> +Status = EFI_SUCCESS;
>
> +*IsFound = TRUE;
>
>
>
> //
>
> // Return the revocation time.
>
> @@ -938,12 +938,14 @@ IsCertHashFoundInDatabase (
> DbxList = (EFI_SIGNATURE_LIST *) ((UINT8 *) DbxList + DbxList-
> >SignatureListSize);
>
>}
>
>
>
> + Status = EFI_SUCCESS;
>
> +
>
> Done:
>
>if (HashCtx != NULL) {
>
> FreePool (HashCtx);
>
>}
>
>
>
> - return IsFound;
>
> + return Status;
>
> }
>
>
>
> /**
>
> @@ -1216,6 +1218,7 @@ IsForbiddenByDbx (
> {
>
Re: [edk2-devel] [PATCH v2 10/10] SecurityPkg/DxeImageVerificationLib: change IsCertHashFoundInDatabase name(CVE-2019-14575)
Reviewed-by: Jiewen Yao
> -Original Message-
> From: Wang, Jian J
> Sent: Friday, February 14, 2020 3:28 PM
> To: devel@edk2.groups.io
> Cc: Yao, Jiewen ; Zhang, Chao B
>
> Subject: [PATCH v2 10/10] SecurityPkg/DxeImageVerificationLib: change
> IsCertHashFoundInDatabase name(CVE-2019-14575)
>
> IsCertHashFoundInDatabase() is actually used only for searching dbx,
> according to the function logic, its comments and its use cases. Changing
> it to IsCertHashFoundInDbx to avoid confusion.
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608
> Cc: Jiewen Yao
> Cc: Chao Zhang
> Signed-off-by: Jian J Wang
> ---
> .../DxeImageVerificationLib/DxeImageVerificationLib.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git
> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> index 0e1587bc3c..b7fa8ea8c5 100644
> --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> @@ -829,7 +829,7 @@ AddImageExeInfo (
>
>
> **/
>
> EFI_STATUS
>
> -IsCertHashFoundInDatabase (
>
> +IsCertHashFoundInDbx (
>
>IN UINT8 *Certificate,
>
>IN UINTN CertSize,
>
>IN EFI_SIGNATURE_LIST *SignatureList,
>
> @@ -1362,7 +1362,7 @@ IsForbiddenByDbx (
> //
>
> CertPtr = CertPtr + sizeof (UINT32) + CertSize;
>
>
>
> -Status = IsCertHashFoundInDatabase (Cert, CertSize, (EFI_SIGNATURE_LIST
> *)Data, DataSize, , );
>
> +Status = IsCertHashFoundInDbx (Cert, CertSize, (EFI_SIGNATURE_LIST
> *)Data,
> DataSize, , );
>
> if (EFI_ERROR (Status)) {
>
>//
>
>// Error in searching dbx. Consider it as 'found'. RevocationTime might
>
> @@ -1528,7 +1528,7 @@ IsAllowedByDb (
> //
>
> // Here We still need to check if this RootCert's Hash is revoked
>
> //
>
> -Status = IsCertHashFoundInDatabase (RootCert, RootCertSize,
> (EFI_SIGNATURE_LIST *)DbxData, DbxDataSize, , );
>
> +Status = IsCertHashFoundInDbx (RootCert, RootCertSize,
> (EFI_SIGNATURE_LIST *)DbxData, DbxDataSize, , );
>
> if (EFI_ERROR (Status)) {
>
>//
>
>// Error in searching dbx. Consider it as 'found'.
> RevocationTime might
>
> --
> 2.24.0.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#54427): https://edk2.groups.io/g/devel/message/54427
Mute This Topic: https://groups.io/mt/71264909/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v2 01/10] SecurityPkg/DxeImageVerificationLib: Fix memory leaks(CVE-2019-14575)
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608 Pointer HashCtx used in IsCertHashFoundInDatabase() is not freed inside the while-loop, if it will run more than once. Cc: Jiewen Yao Cc: Chao Zhang Signed-off-by: Jian J Wang Reviewed-by: Jiewen Yao --- .../Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c index dbfbfcb4fb..74dbffa122 100644 --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c @@ -908,6 +908,9 @@ IsCertHashFoundInDatabase ( goto Done; } +FreePool (HashCtx); +HashCtx = NULL; + SiglistHeaderSize = sizeof (EFI_SIGNATURE_LIST) + DbxList->SignatureHeaderSize; CertHash = (EFI_SIGNATURE_DATA *) ((UINT8 *) DbxList + SiglistHeaderSize); CertHashCount = (DbxList->SignatureListSize - SiglistHeaderSize) / DbxList->SignatureSize; -- 2.24.0.windows.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#54417): https://edk2.groups.io/g/devel/message/54417 Mute This Topic: https://groups.io/mt/71264898/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v2 00/10] Fix false negative issue in DxeImageVerificationHandler
> v2 changes: >- Change IsCertHashFoundInDatabase to IsCertHashFoundInDbx (patch 10) >- Update result handling to all calling to IsCertHashFoundInDatabase > to be consistent (patch 6) >- Fix commit message and title length issue caught by PatchCheck tool REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608 Patch branch: https://github.com/jwang36/edk2/tree/fix-bz1608-bypass-blacklist-check-via-signature-v2 Cc: Jiewen Yao Cc: Chao Zhang Jian J Wang (9): SecurityPkg/DxeImageVerificationLib: Fix memory leaks(CVE-2019-14575) SecurityPkg/DxeImageVerificationLib: reject CertStack.CertNumber==0 per DBX(CVE-2019-14575) SecurityPkg/DxeImageVerificationLib: fix wrong fetch dbx in IsAllowedByDb(CVE-2019-14575) SecurityPkg/DxeImageVerificationLib: avoid bypass in fetching dbx(CVE-2019-14575) SecurityPkg/DxeImageVerificationLib: refactor db/dbx fetching code(CVE-2019-14575) SecurityPkg/DxeImageVerificationLib: Differentiate error/search result (1)(CVE-2019-14575) SecurityPkg/DxeImageVerificationLib: tighten default result(CVE-2019-14575) SecurityPkg/DxeImageVerificationLib: Differentiate error/search result (2)(CVE-2019-14575) SecurityPkg/DxeImageVerificationLib: change IsCertHashFoundInDatabase name(CVE-2019-14575) Laszlo Ersek (1): SecurityPkg/DxeImageVerificationLib: plug Data leak in IsForbiddenByDbx()(CVE-2019-14575) .../DxeImageVerificationLib.c | 291 -- 1 file changed, 198 insertions(+), 93 deletions(-) -- 2.24.0.windows.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#54416): https://edk2.groups.io/g/devel/message/54416 Mute This Topic: https://groups.io/mt/71264897/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v2 02/10] SecurityPkg/DxeImageVerificationLib: reject CertStack.CertNumber==0 per DBX(CVE-2019-14575)
In case the signers' certificate stack, retrieved from the PE/COFF image's
Authenticode blob, has zero elements (=there are zero signer certificates),
then we should consider the image forbidden by DBX, not accepted by DBX.
Cc: Jiewen Yao
Cc: Chao Zhang
Signed-off-by: Jian J Wang
Reviewed-by: Laszlo Ersek
Reviewed-by: Jiewen Yao
---
.../Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git
a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
index 74dbffa122..5dcd6efed5 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -1326,7 +1326,7 @@ IsForbiddenByDbx (
// UINT8 Certn[];
//
Pkcs7GetSigners (AuthData, AuthDataSize, , ,
, );
- if ((BufferLength == 0) || (CertBuffer == NULL)) {
+ if ((BufferLength == 0) || (CertBuffer == NULL) || (*CertBuffer) == 0) {
IsForbidden = TRUE;
goto Done;
}
--
2.24.0.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#54418): https://edk2.groups.io/g/devel/message/54418
Mute This Topic: https://groups.io/mt/71264900/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v2 04/10] SecurityPkg/DxeImageVerificationLib: avoid bypass in fetching dbx(CVE-2019-14575)
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608
In timestamp check after the cert is found in db, the original code jumps
to 'Done' if any error happens in fetching dbx variable. At any of the
jump, VerifyStatus equals to TRUE, which means allowed-by-db. This should
not be allowed except to EFI_NOT_FOUND case (meaning dbx doesn't exist),
because it could be used to bypass timestamp check.
This patch add code to change VerifyStatus to FALSE in the case of memory
allocation failure and dbx fetching failure to avoid potential bypass
issue.
Cc: Jiewen Yao
Cc: Chao Zhang
Signed-off-by: Jian J Wang
Reviewed-by: Jiewen Yao
---
.../DxeImageVerificationLib/DxeImageVerificationLib.c | 11 +++
1 file changed, 11 insertions(+)
diff --git
a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
index 1efb2f96cd..ed5dbf26b0 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -1459,15 +1459,26 @@ IsAllowedByDb (
DbxDataSize = 0;
Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1,
, NULL, , NULL);
if (Status != EFI_BUFFER_TOO_SMALL) {
+ if (Status != EFI_NOT_FOUND) {
+VerifyStatus = FALSE;
+ }
goto Done;
}
DbxData = (UINT8 *) AllocateZeroPool (DbxDataSize);
if (DbxData == NULL) {
+ //
+ // Force not-allowed-by-db to avoid bypass
+ //
+ VerifyStatus = FALSE;
goto Done;
}
Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1,
, NULL, , (VOID *) DbxData);
if (EFI_ERROR (Status)) {
+ //
+ // Force not-allowed-by-db to avoid bypass
+ //
+ VerifyStatus = FALSE;
goto Done;
}
--
2.24.0.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#54420): https://edk2.groups.io/g/devel/message/54420
Mute This Topic: https://groups.io/mt/71264902/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v2 09/10] SecurityPkg/DxeImageVerificationLib: Differentiate error/search result (2)(CVE-2019-14575)
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608
To avoid false-negative issue in check hash against dbx, both error
condition (as return value) and check result (as out parameter) of
IsSignatureFoundInDatabase() are added. So the caller of this function
will know exactly if a failure is caused by a black list hit or
other error happening, and enforce a more secure operation to prevent
secure boot from being bypassed. For a white list check (db), there's
no such necessity.
All intermediate results inside this function will be checked and
returned immediately upon any failure or error, like out-of-resource,
hash calculation error or certificate retrieval failure.
Cc: Jiewen Yao
Cc: Chao Zhang
Signed-off-by: Jian J Wang
Reviewed-by: Laszlo Ersek
Reviewed-by: Jiewen Yao
---
.../DxeImageVerificationLib.c | 77 ++-
1 file changed, 58 insertions(+), 19 deletions(-)
diff --git
a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
index f20640af68..0e1587bc3c 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -955,17 +955,19 @@ Done:
@param[in] Signature Pointer to signature that is searched for.
@param[in] CertTypePointer to hash algorithm.
@param[in] SignatureSize Size of Signature.
+ @param[out] IsFound Search result. Only valid if EFI_SUCCESS
returned
- @return TRUEFound the signature in the variable database.
- @return FALSE Not found the signature in the variable
database.
+ @retval EFI_SUCCESS Finished the search without any error.
+ @retval Others Error occurred in the search of database.
**/
-BOOLEAN
+EFI_STATUS
IsSignatureFoundInDatabase (
- IN CHAR16 *VariableName,
- IN UINT8 *Signature,
- IN EFI_GUID *CertType,
- IN UINTN SignatureSize
+ IN CHAR16*VariableName,
+ IN UINT8 *Signature,
+ IN EFI_GUID *CertType,
+ IN UINTN SignatureSize,
+ OUT BOOLEAN *IsFound
)
{
EFI_STATUS Status;
@@ -975,22 +977,28 @@ IsSignatureFoundInDatabase (
UINT8 *Data;
UINTN Index;
UINTN CertCount;
- BOOLEAN IsFound;
//
// Read signature database variable.
//
- IsFound = FALSE;
+ *IsFound = FALSE;
Data = NULL;
DataSize = 0;
Status= gRT->GetVariable (VariableName, ,
NULL, , NULL);
if (Status != EFI_BUFFER_TOO_SMALL) {
-return FALSE;
+if (Status == EFI_NOT_FOUND) {
+ //
+ // No database, no need to search.
+ //
+ Status = EFI_SUCCESS;
+}
+
+return Status;
}
Data = (UINT8 *) AllocateZeroPool (DataSize);
if (Data == NULL) {
-return FALSE;
+return EFI_OUT_OF_RESOURCES;
}
Status = gRT->GetVariable (VariableName, ,
NULL, , Data);
@@ -1010,7 +1018,7 @@ IsSignatureFoundInDatabase (
//
// Find the signature in database.
//
- IsFound = TRUE;
+ *IsFound = TRUE;
//
// Entries in UEFI_IMAGE_SECURITY_DATABASE that are used to validate
image should be measured
//
@@ -1023,7 +1031,7 @@ IsSignatureFoundInDatabase (
Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) Cert +
CertList->SignatureSize);
}
- if (IsFound) {
+ if (*IsFound) {
break;
}
}
@@ -1037,7 +1045,7 @@ Done:
FreePool (Data);
}
- return IsFound;
+ return Status;
}
/**
@@ -1648,6 +1656,8 @@ DxeImageVerificationHandler (
CHAR16 *NameStr;
RETURN_STATUSPeCoffStatus;
EFI_STATUS HashStatus;
+ EFI_STATUS DbStatus;
+ BOOLEAN IsFound;
SignatureList = NULL;
SignatureListSize = 0;
@@ -1656,7 +1666,7 @@ DxeImageVerificationHandler (
PkcsCertData = NULL;
Action= EFI_IMAGE_EXECUTION_AUTH_UNTESTED;
IsVerified= FALSE;
-
+ IsFound = FALSE;
//
// Check the image type and get policy setting.
@@ -1798,7 +1808,14 @@ DxeImageVerificationHandler (
goto Failed;
}
-if (IsSignatureFoundInDatabase (EFI_IMAGE_SECURITY_DATABASE1,
mImageDigest, , mImageDigestSize)) {
+DbStatus = IsSignatureFoundInDatabase (
+ EFI_IMAGE_SECURITY_DATABASE1,
+ mImageDigest,
+ ,
+ mImageDigestSize,
+
+ );
+if (EFI_ERROR (DbStatus) || IsFound) {
//
// Image Hash is in forbidden database (DBX).
//
@@ -1806,7 +1823,14 @@ DxeImageVerificationHandler (
goto Failed;
}
[edk2-devel] [PATCH v2 07/10] SecurityPkg/DxeImageVerificationLib: tighten default result(CVE-2019-14575)
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608
All intermediate results inside this function will be checked and
returned immediately upon any failure or error, like out-of-resource,
hash calculation error or certificate retrieval failure.
Cc: Jiewen Yao
Cc: Chao Zhang
Signed-off-by: Jian J Wang
Signed-off-by: Laszlo Ersek
Reviewed-by: Jiewen Yao
---
.../DxeImageVerificationLib/DxeImageVerificationLib.c | 11 ++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git
a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
index 85261ba7f2..470a0d20ef 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -1240,7 +1240,7 @@ IsForbiddenByDbx (
//
// Variable Initialization
//
- IsForbidden = FALSE;
+ IsForbidden = TRUE;
Data = NULL;
CertList = NULL;
CertData = NULL;
@@ -1257,7 +1257,14 @@ IsForbiddenByDbx (
//
DataSize = 0;
Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1,
, NULL, , NULL);
+ ASSERT (EFI_ERROR (Status));
if (Status != EFI_BUFFER_TOO_SMALL) {
+if (Status == EFI_NOT_FOUND) {
+ //
+ // Evidently not in dbx if the database doesn't exist.
+ //
+ IsForbidden = FALSE;
+}
return IsForbidden;
}
Data = (UINT8 *) AllocateZeroPool (DataSize);
@@ -1374,6 +1381,8 @@ IsForbiddenByDbx (
}
+ IsForbidden = FALSE;
+
Done:
if (Data != NULL) {
FreePool (Data);
--
2.24.0.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#54423): https://edk2.groups.io/g/devel/message/54423
Mute This Topic: https://groups.io/mt/71264905/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v2 08/10] SecurityPkg/DxeImageVerificationLib: plug Data leak in IsForbiddenByDbx()(CVE-2019-14575)
From: Laszlo Ersek
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608
If the second GetVariable() call for "dbx" fails, in IsForbiddenByDbx(),
we have to free Data. Jump to "Done" for that.
Cc: Jiewen Yao
Cc: Chao Zhang
Signed-off-by: Laszlo Ersek
Reviewed-by: Jiewen Yao
---
.../Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git
a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
index 470a0d20ef..f20640af68 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -1274,7 +1274,7 @@ IsForbiddenByDbx (
Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1,
, NULL, , (VOID *) Data);
if (EFI_ERROR (Status)) {
-return IsForbidden;
+goto Done;
}
//
--
2.24.0.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#54424): https://edk2.groups.io/g/devel/message/54424
Mute This Topic: https://groups.io/mt/71264906/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v2 06/10] SecurityPkg/DxeImageVerificationLib: Differentiate error/search result (1)(CVE-2019-14575)
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608
To avoid false-negative issue in check hash against dbx, both error
condition (as return value) and check result (as out parameter) of
IsCertHashFoundInDatabase() are added. So the caller of this function
will know exactly if a failure is caused by a black list hit or
other error happening, and enforce a more secure operation to prevent
secure boot from being bypassed. For a white list check (db), there's
no such necessity.
Cc: Jiewen Yao
Cc: Chao Zhang
Signed-off-by: Jian J Wang
Signed-off-by: Laszlo Ersek
---
.../DxeImageVerificationLib.c | 64 ---
1 file changed, 42 insertions(+), 22 deletions(-)
diff --git
a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
index 8739d1fa29..85261ba7f2 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -822,22 +822,23 @@ AddImageExeInfo (
@param[in] SignatureList Pointer to the Signature List in forbidden
database.
@param[in] SignatureListSize Size of Signature List.
@param[out] RevocationTimeReturn the time that the certificate was
revoked.
+ @param[out] IsFound Search result. Only valid if EFI_SUCCESS
returned.
- @return TRUE The certificate hash is found in the forbidden database.
- @return FALSE The certificate hash is not found in the forbidden database.
+ @retval EFI_SUCCESS Finished the search without any error.
+ @retval OthersError occurred in the search of database.
**/
-BOOLEAN
+EFI_STATUS
IsCertHashFoundInDatabase (
IN UINT8 *Certificate,
IN UINTN CertSize,
IN EFI_SIGNATURE_LIST *SignatureList,
IN UINTN SignatureListSize,
- OUT EFI_TIME*RevocationTime
+ OUT EFI_TIME*RevocationTime,
+ OUT BOOLEAN *IsFound
)
{
- BOOLEAN IsFound;
- BOOLEAN Status;
+ EFI_STATUS Status;
EFI_SIGNATURE_LIST *DbxList;
UINTN DbxSize;
EFI_SIGNATURE_DATA *CertHash;
@@ -851,21 +852,22 @@ IsCertHashFoundInDatabase (
UINT8 *TBSCert;
UINTN TBSCertSize;
- IsFound = FALSE;
+ Status = EFI_ABORTED;
+ *IsFound = FALSE;
DbxList = SignatureList;
DbxSize = SignatureListSize;
HashCtx = NULL;
HashAlg = HASHALG_MAX;
if ((RevocationTime == NULL) || (DbxList == NULL)) {
-return FALSE;
+return EFI_INVALID_PARAMETER;
}
//
// Retrieve the TBSCertificate from the X.509 Certificate.
//
if (!X509GetTBSCert (Certificate, CertSize, , )) {
-return FALSE;
+return Status;
}
while ((DbxSize > 0) && (SignatureListSize >= DbxList->SignatureListSize)) {
@@ -895,16 +897,13 @@ IsCertHashFoundInDatabase (
if (HashCtx == NULL) {
goto Done;
}
-Status = mHash[HashAlg].HashInit (HashCtx);
-if (!Status) {
+if (!mHash[HashAlg].HashInit (HashCtx)) {
goto Done;
}
-Status = mHash[HashAlg].HashUpdate (HashCtx, TBSCert, TBSCertSize);
-if (!Status) {
+if (!mHash[HashAlg].HashUpdate (HashCtx, TBSCert, TBSCertSize)) {
goto Done;
}
-Status = mHash[HashAlg].HashFinal (HashCtx, CertDigest);
-if (!Status) {
+if (!mHash[HashAlg].HashFinal (HashCtx, CertDigest)) {
goto Done;
}
@@ -923,7 +922,8 @@ IsCertHashFoundInDatabase (
//
// Hash of Certificate is found in forbidden database.
//
-IsFound = TRUE;
+Status = EFI_SUCCESS;
+*IsFound = TRUE;
//
// Return the revocation time.
@@ -938,12 +938,14 @@ IsCertHashFoundInDatabase (
DbxList = (EFI_SIGNATURE_LIST *) ((UINT8 *) DbxList +
DbxList->SignatureListSize);
}
+ Status = EFI_SUCCESS;
+
Done:
if (HashCtx != NULL) {
FreePool (HashCtx);
}
- return IsFound;
+ return Status;
}
/**
@@ -1216,6 +1218,7 @@ IsForbiddenByDbx (
{
EFI_STATUSStatus;
BOOLEAN IsForbidden;
+ BOOLEAN IsFound;
UINT8 *Data;
UINTN DataSize;
EFI_SIGNATURE_LIST*CertList;
@@ -1344,20 +1347,29 @@ IsForbiddenByDbx (
//
CertPtr = CertPtr + sizeof (UINT32) + CertSize;
-if (IsCertHashFoundInDatabase (Cert, CertSize, (EFI_SIGNATURE_LIST *)Data,
DataSize, )) {
+Status = IsCertHashFoundInDatabase (Cert, CertSize, (EFI_SIGNATURE_LIST
*)Data, DataSize, , );
+if (EFI_ERROR (Status)) {
//
- // Check the timestamp signature and signing time to determine if the
image can be trusted.
+ // Error in searching dbx. Consider it as 'found'. RevocationTime might
+ // not be valid in such situation.
//
IsForbidden = TRUE;
+} else if (IsFound) {
+
[edk2-devel] [PATCH v2 05/10] SecurityPkg/DxeImageVerificationLib: refactor db/dbx fetching code(CVE-2019-14575)
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608
The dbx fetching code inside the while/for-loop causes code hard to
understand. Since there's no need to get dbx more than once, this patch
simplify the code logic by moving related code to be outside the while-
loop. db fetching code is also refined accordingly to reduce the indent
level of code.
More comments are also added or refined to explain more details.
Cc: Jiewen Yao
Cc: Chao Zhang
Signed-off-by: Jian J Wang
Reviewed-by: Jiewen Yao
---
.../DxeImageVerificationLib.c | 144 ++
1 file changed, 83 insertions(+), 61 deletions(-)
diff --git
a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
index ed5dbf26b0..8739d1fa29 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -1412,76 +1412,92 @@ IsAllowedByDb (
RootCertSize = 0;
VerifyStatus = FALSE;
+ //
+ // Fetch 'db' content. If 'db' doesn't exist or encounters problem to get the
+ // data, return not-allowed-by-db (FALSE).
+ //
DataSize = 0;
Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE,
, NULL, , NULL);
- if (Status == EFI_BUFFER_TOO_SMALL) {
-Data = (UINT8 *) AllocateZeroPool (DataSize);
-if (Data == NULL) {
- return VerifyStatus;
+ ASSERT (EFI_ERROR (Status));
+ if (Status != EFI_BUFFER_TOO_SMALL) {
+return VerifyStatus;
+ }
+
+ Data = (UINT8 *) AllocateZeroPool (DataSize);
+ if (Data == NULL) {
+return VerifyStatus;
+ }
+
+ Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE,
, NULL, , (VOID *) Data);
+ if (EFI_ERROR (Status)) {
+goto Done;
+ }
+
+ //
+ // Fetch 'dbx' content. If 'dbx' doesn't exist, continue to check 'db'.
+ // If any other errors occured, no need to check 'db' but just return
+ // not-allowed-by-db (FALSE) to avoid bypass.
+ //
+ DbxDataSize = 0;
+ Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1,
, NULL, , NULL);
+ ASSERT (EFI_ERROR (Status));
+ if (Status != EFI_BUFFER_TOO_SMALL) {
+if (Status != EFI_NOT_FOUND) {
+ goto Done;
+}
+//
+// 'dbx' does not exist. Continue to check 'db'.
+//
+ } else {
+//
+// 'dbx' exists. Get its content.
+//
+DbxData = (UINT8 *) AllocateZeroPool (DbxDataSize);
+if (DbxData == NULL) {
+ goto Done;
}
-Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE,
, NULL, , (VOID *) Data);
+Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1,
, NULL, , (VOID *) DbxData);
if (EFI_ERROR (Status)) {
goto Done;
}
+ }
-//
-// Find X509 certificate in Signature List to verify the signature in
pkcs7 signed data.
-//
-CertList = (EFI_SIGNATURE_LIST *) Data;
-while ((DataSize > 0) && (DataSize >= CertList->SignatureListSize)) {
- if (CompareGuid (>SignatureType, )) {
-CertData = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof
(EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);
-CertCount = (CertList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST)
- CertList->SignatureHeaderSize) / CertList->SignatureSize;
+ //
+ // Find X509 certificate in Signature List to verify the signature in pkcs7
signed data.
+ //
+ CertList = (EFI_SIGNATURE_LIST *) Data;
+ while ((DataSize > 0) && (DataSize >= CertList->SignatureListSize)) {
+if (CompareGuid (>SignatureType, )) {
+ CertData = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof
(EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);
+ CertCount = (CertList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) -
CertList->SignatureHeaderSize) / CertList->SignatureSize;
-for (Index = 0; Index < CertCount; Index++) {
- //
- // Iterate each Signature Data Node within this CertList for verify.
- //
- RootCert = CertData->SignatureData;
- RootCertSize = CertList->SignatureSize - sizeof (EFI_GUID);
+ for (Index = 0; Index < CertCount; Index++) {
+//
+// Iterate each Signature Data Node within this CertList for verify.
+//
+RootCert = CertData->SignatureData;
+RootCertSize = CertList->SignatureSize - sizeof (EFI_GUID);
+//
+// Call AuthenticodeVerify library to Verify Authenticode struct.
+//
+VerifyStatus = AuthenticodeVerify (
+ AuthData,
+ AuthDataSize,
+ RootCert,
+ RootCertSize,
+ mImageDigest,
+ mImageDigestSize
+ );
+if (VerifyStatus) {
//
- // Call AuthenticodeVerify library to Verify Authenticode struct.
+ // The image is signed and its signature is found in 'db'.
//
-
[edk2-devel] [PATCH v2 10/10] SecurityPkg/DxeImageVerificationLib: change IsCertHashFoundInDatabase name(CVE-2019-14575)
IsCertHashFoundInDatabase() is actually used only for searching dbx,
according to the function logic, its comments and its use cases. Changing
it to IsCertHashFoundInDbx to avoid confusion.
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608
Cc: Jiewen Yao
Cc: Chao Zhang
Signed-off-by: Jian J Wang
---
.../DxeImageVerificationLib/DxeImageVerificationLib.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git
a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
index 0e1587bc3c..b7fa8ea8c5 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -829,7 +829,7 @@ AddImageExeInfo (
**/
EFI_STATUS
-IsCertHashFoundInDatabase (
+IsCertHashFoundInDbx (
IN UINT8 *Certificate,
IN UINTN CertSize,
IN EFI_SIGNATURE_LIST *SignatureList,
@@ -1362,7 +1362,7 @@ IsForbiddenByDbx (
//
CertPtr = CertPtr + sizeof (UINT32) + CertSize;
-Status = IsCertHashFoundInDatabase (Cert, CertSize, (EFI_SIGNATURE_LIST
*)Data, DataSize, , );
+Status = IsCertHashFoundInDbx (Cert, CertSize, (EFI_SIGNATURE_LIST *)Data,
DataSize, , );
if (EFI_ERROR (Status)) {
//
// Error in searching dbx. Consider it as 'found'. RevocationTime might
@@ -1528,7 +1528,7 @@ IsAllowedByDb (
//
// Here We still need to check if this RootCert's Hash is revoked
//
-Status = IsCertHashFoundInDatabase (RootCert, RootCertSize,
(EFI_SIGNATURE_LIST *)DbxData, DbxDataSize, , );
+Status = IsCertHashFoundInDbx (RootCert, RootCertSize,
(EFI_SIGNATURE_LIST *)DbxData, DbxDataSize, , );
if (EFI_ERROR (Status)) {
//
// Error in searching dbx. Consider it as 'found'.
RevocationTime might
--
2.24.0.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#54426): https://edk2.groups.io/g/devel/message/54426
Mute This Topic: https://groups.io/mt/71264909/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v2 03/10] SecurityPkg/DxeImageVerificationLib: fix wrong fetch dbx in IsAllowedByDb(CVE-2019-14575)
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608
Normally two times of calling gRT->GetVariable() are needed to get
the data of a variable: get the variable size by passing zero variable
size, and then allocate enough memory and pass the correct variable size
and buffer.
But in the inner loop in IsAllowedByDb(), the DbxDataSize was not
initialized to zero before calling gRT->GetVariable(). It won't cause
problem if dbx does not exist. But it will give wrong result if dbx
exists and the DbxDataSize happens to be a small enough value. In this
situation, EFI_BUFFER_TOO_SMALL will be returned. Then the result check
code followed will jump to 'Done', which is not correct because it's
actually the value expected.
if (Status == EFI_BUFFER_TOO_SMALL) {
goto Done;
}
Cc: Jiewen Yao
Cc: Chao Zhang
Signed-off-by: Jian J Wang
Reviewed-by: Jiewen Yao
---
.../Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git
a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
index 5dcd6efed5..1efb2f96cd 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -1456,8 +1456,9 @@ IsAllowedByDb (
//
// Here We still need to check if this RootCert's Hash is revoked
//
+DbxDataSize = 0;
Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1,
, NULL, , NULL);
-if (Status == EFI_BUFFER_TOO_SMALL) {
+if (Status != EFI_BUFFER_TOO_SMALL) {
goto Done;
}
DbxData = (UINT8 *) AllocateZeroPool (DbxDataSize);
--
2.24.0.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#54419): https://edk2.groups.io/g/devel/message/54419
Mute This Topic: https://groups.io/mt/71264901/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [patch 2/2] MdeModulePkg/DisplayEngine: Zero memory before free (CVE-2019-14558)
Reviewed-by: Eric Dong
-Original Message-
From: Bi, Dandan
Sent: Thursday, February 13, 2020 12:03 PM
To: devel@edk2.groups.io
Cc: Gao, Liming ; Dong, Eric ; Wang,
Jian J
Subject: [patch 2/2] MdeModulePkg/DisplayEngine: Zero memory before free
(CVE-2019-14558)
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1611
Cc: Liming Gao
Cc: Eric Dong
Cc: Jian J Wang
Signed-off-by: Dandan Bi
---
MdeModulePkg/Universal/DisplayEngineDxe/ProcessOptions.c | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/MdeModulePkg/Universal/DisplayEngineDxe/ProcessOptions.c
b/MdeModulePkg/Universal/DisplayEngineDxe/ProcessOptions.c
index 7d9486112b..1087004939 100644
--- a/MdeModulePkg/Universal/DisplayEngineDxe/ProcessOptions.c
+++ b/MdeModulePkg/Universal/DisplayEngineDxe/ProcessOptions.c
@@ -821,10 +821,11 @@ PasswordProcess (
//
// Old password exist, ask user for the old password
//
Status = ReadString (MenuOption, gPromptForPassword, StringPtr);
if (EFI_ERROR (Status)) {
+ ZeroMem (StringPtr, (Maximum + 1) * sizeof (CHAR16));
FreePool (StringPtr);
return Status;
}
//
@@ -838,11 +839,11 @@ PasswordProcess (
//
PasswordInvalid ();
} else {
Status = EFI_SUCCESS;
}
-
+ ZeroMem (StringPtr, (Maximum + 1) * sizeof (CHAR16));
FreePool (StringPtr);
return Status;
}
}
@@ -854,10 +855,11 @@ PasswordProcess (
if (EFI_ERROR (Status)) {
//
// Reset state machine for password
//
Question->PasswordCheck (gFormData, Question, NULL);
+ZeroMem (StringPtr, (Maximum + 1) * sizeof (CHAR16));
FreePool (StringPtr);
return Status;
}
//
@@ -869,10 +871,12 @@ PasswordProcess (
if (EFI_ERROR (Status)) {
//
// Reset state machine for password
//
Question->PasswordCheck (gFormData, Question, NULL);
+ZeroMem (StringPtr, (Maximum + 1) * sizeof (CHAR16));
+ZeroMem (TempString, (Maximum + 1) * sizeof (CHAR16));
FreePool (StringPtr);
FreePool (TempString);
return Status;
}
--
2.18.0.windows.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#54415): https://edk2.groups.io/g/devel/message/54415
Mute This Topic: https://groups.io/mt/71232490/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH 1/1] MdeModulePkg/Pci: Fixed SCT Issues in NonDiscoverablePciDevice.
GetBarAttributes, MemRead, MemWrite consistency test failed
with Invalid BarIndex.
Added check for BarIndex and return Invalid Parameter.
PCI Controller Attribute operation with Unsupported Attributes
is failing.
Added check to return Unsupported when wrong attributed are set.
Signed-off-by: Gaurav Jain
---
.../NonDiscoverablePciDeviceIo.c | 21 +++
1 file changed, 21 insertions(+)
diff --git
a/MdeModulePkg/Bus/Pci/NonDiscoverablePciDeviceDxe/NonDiscoverablePciDeviceIo.c
b/MdeModulePkg/Bus/Pci/NonDiscoverablePciDeviceDxe/NonDiscoverablePciDeviceIo.c
index 76cb000602fc..804e7e6cc834 100644
---
a/MdeModulePkg/Bus/Pci/NonDiscoverablePciDeviceDxe/NonDiscoverablePciDeviceIo.c
+++
b/MdeModulePkg/Bus/Pci/NonDiscoverablePciDeviceDxe/NonDiscoverablePciDeviceIo.c
@@ -243,6 +243,10 @@ PciIoMemRead (
EFI_ACPI_ADDRESS_SPACE_DESCRIPTOR *Desc;
EFI_STATUS Status;
+ if (BarIndex >= PCI_MAX_BAR) {
+return EFI_UNSUPPORTED;
+ }
+
if (Buffer == NULL) {
return EFI_INVALID_PARAMETER;
}
@@ -330,6 +334,10 @@ PciIoMemWrite (
EFI_ACPI_ADDRESS_SPACE_DESCRIPTOR *Desc;
EFI_STATUS Status;
+ if (BarIndex >= PCI_MAX_BAR) {
+return EFI_UNSUPPORTED;
+ }
+
if (Buffer == NULL) {
return EFI_INVALID_PARAMETER;
}
@@ -1302,13 +1310,22 @@ PciIoAttributes (
break;
case EfiPciIoAttributeOperationEnable:
+if ((Attributes & (~DEV_SUPPORTED_ATTRIBUTES)) != 0) {
+ return EFI_UNSUPPORTED;
+}
Attributes |= Dev->Attributes;
case EfiPciIoAttributeOperationSet:
+if ((Attributes & (~DEV_SUPPORTED_ATTRIBUTES)) != 0) {
+ return EFI_UNSUPPORTED;
+}
Enable = ((~Dev->Attributes & Attributes) & EFI_PCI_DEVICE_ENABLE) != 0;
Dev->Attributes = Attributes;
break;
case EfiPciIoAttributeOperationDisable:
+if ((Attributes & (~DEV_SUPPORTED_ATTRIBUTES)) != 0) {
+ return EFI_UNSUPPORTED;
+}
Dev->Attributes &= ~Attributes;
break;
@@ -1369,6 +1386,10 @@ PciIoGetBarAttributes (
return EFI_INVALID_PARAMETER;
}
+ if (BarIndex >= PCI_MAX_BAR) {
+return EFI_UNSUPPORTED;
+ }
+
Dev = NON_DISCOVERABLE_PCI_DEVICE_FROM_PCI_IO(This);
Status = GetBarResource (Dev, BarIndex, );
--
2.17.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#54414): https://edk2.groups.io/g/devel/message/54414
Mute This Topic: https://groups.io/mt/71264395/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [patch 1/2] MdeModulePkg/String.c: Zero memory before free (CVE-2019-14558)
Reviewed-by: Eric Dong -Original Message- From: Bi, Dandan Sent: Thursday, February 13, 2020 12:03 PM To: devel@edk2.groups.io Cc: Gao, Liming ; Dong, Eric ; Wang, Jian J Subject: [patch 1/2] MdeModulePkg/String.c: Zero memory before free (CVE-2019-14558) REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1611 Cc: Liming Gao Cc: Eric Dong Cc: Jian J Wang Signed-off-by: Dandan Bi --- MdeModulePkg/Universal/HiiDatabaseDxe/String.c | 7 +++ 1 file changed, 7 insertions(+) diff --git a/MdeModulePkg/Universal/HiiDatabaseDxe/String.c b/MdeModulePkg/Universal/HiiDatabaseDxe/String.c index 505e063d49..10a1e691a3 100644 --- a/MdeModulePkg/Universal/HiiDatabaseDxe/String.c +++ b/MdeModulePkg/Universal/HiiDatabaseDxe/String.c @@ -1004,10 +1004,11 @@ SetStringWorker ( BlockPtr, StringTextPtr + AsciiStrSize ((CHAR8 *)StringTextPtr), TmpSize ); +ZeroMem (StringPackage->StringBlock, OldBlockSize); FreePool (StringPackage->StringBlock); StringPackage->StringBlock = Block; StringPackage->StringPkgHdr->Header.Length += (UINT32) (BlockSize - OldBlockSize); break; @@ -1037,10 +1038,11 @@ SetStringWorker ( BlockPtr, StringTextPtr + StringSize, OldBlockSize - (StringTextPtr - StringPackage->StringBlock) - StringSize ); +ZeroMem (StringPackage->StringBlock, OldBlockSize); FreePool (StringPackage->StringBlock); StringPackage->StringBlock = Block; StringPackage->StringPkgHdr->Header.Length += (UINT32) (BlockSize - OldBlockSize); break; @@ -1088,10 +1090,11 @@ SetStringWorker ( ); BlockPtr += StrSize (GlobalFont->FontInfo->FontName); CopyMem (BlockPtr, StringPackage->StringBlock, OldBlockSize); + ZeroMem (StringPackage->StringBlock, OldBlockSize); FreePool (StringPackage->StringBlock); StringPackage->StringBlock = Block; StringPackage->StringPkgHdr->Header.Length += Ext2.Length; return EFI_SUCCESS; @@ -1273,10 +1276,11 @@ HiiNewString ( // // Append a EFI_HII_SIBT_END block to the end. // *BlockPtr = EFI_HII_SIBT_END; + ZeroMem (StringPackage->StringBlock, OldBlockSize); FreePool (StringPackage->StringBlock); StringPackage->StringBlock = StringBlock; StringPackage->StringPkgHdr->Header.Length += Ucs2BlockSize; PackageListNode->PackageListHdr.PackageLength += Ucs2BlockSize; } @@ -1404,10 +1408,11 @@ HiiNewString ( // // Append a EFI_HII_SIBT_END block to the end. // *BlockPtr = EFI_HII_SIBT_END; +ZeroMem (StringPackage->StringBlock, OldBlockSize); FreePool (StringPackage->StringBlock); StringPackage->StringBlock = StringBlock; StringPackage->StringPkgHdr->Header.Length += Ucs2BlockSize; PackageListNode->PackageListHdr.PackageLength += Ucs2BlockSize; @@ -1446,10 +1451,11 @@ HiiNewString ( // // Append a EFI_HII_SIBT_END block to the end. // *BlockPtr = EFI_HII_SIBT_END; + ZeroMem (StringPackage->StringBlock, OldBlockSize); FreePool (StringPackage->StringBlock); StringPackage->StringBlock = StringBlock; StringPackage->StringPkgHdr->Header.Length += Ucs2FontBlockSize; PackageListNode->PackageListHdr.PackageLength += Ucs2FontBlockSize; @@ -1507,10 +1513,11 @@ HiiNewString ( // // Append a EFI_HII_SIBT_END block to the end. // *BlockPtr = EFI_HII_SIBT_END; + ZeroMem (StringPackage->StringBlock, OldBlockSize); FreePool (StringPackage->StringBlock); StringPackage->StringBlock = StringBlock; StringPackage->StringPkgHdr->Header.Length += FontBlockSize + Ucs2FontBlockSize; PackageListNode->PackageListHdr.PackageLength += FontBlockSize + Ucs2FontBlockSize; -- 2.18.0.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#54413): https://edk2.groups.io/g/devel/message/54413 Mute This Topic: https://groups.io/mt/71232488/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH 2/3] MdeModulePkg: Issues reported by ECC in EDK2.
> -Original Message- > From: devel@edk2.groups.io [mailto:devel@edk2.groups.io] On Behalf Of > GuoMinJ > Sent: Thursday, February 13, 2020 4:34 PM > To: devel@edk2.groups.io > Cc: GuoMinJ > Subject: [edk2-devel] [PATCH 2/3] MdeModulePkg: Issues reported by ECC in > EDK2. > > https://bugzilla.tianocore.org/show_bug.cgi?id=2515 > > Change the MdeModulePkg to match the ECC check rule Reviewed-by: Hao A Wu Best Regards, Hao Wu > > Signed-off-by: GuoMinJ > --- > MdeModulePkg/Bus/Pci/PciBusDxe/PciEnumeratorSupport.c | 4 ++-- > MdeModulePkg/Bus/Pci/SdMmcPciHcDxe/SdMmcPciHci.c | 2 +- > MdeModulePkg/MdeModulePkg.uni | 4 > 3 files changed, 7 insertions(+), 3 deletions(-) > > diff --git a/MdeModulePkg/Bus/Pci/PciBusDxe/PciEnumeratorSupport.c > b/MdeModulePkg/Bus/Pci/PciBusDxe/PciEnumeratorSupport.c > index f8020f4e72..6c68a97d4e 100644 > --- a/MdeModulePkg/Bus/Pci/PciBusDxe/PciEnumeratorSupport.c > +++ b/MdeModulePkg/Bus/Pci/PciBusDxe/PciEnumeratorSupport.c > @@ -2071,7 +2071,7 @@ InitializeP2C ( >PciIo->Pci.Write (PciIo, EfiPciIoWidthUint8, 0x3C, 1, ); > } > > -/* > +/** >Authenticate the PCI device by using DeviceSecurityProtocol. > >@param PciIoDevice PCI device. > @@ -2079,7 +2079,7 @@ InitializeP2C ( >@retval EFI_SUCCESS The device passes the authentication. >@return not EFI_SUCCESS The device failes the authentication or >unexpected error happen during authentication. > -*/ > +**/ > EFI_STATUS > AuthenticatePciDevice ( >IN PCI_IO_DEVICE*PciIoDevice > diff --git a/MdeModulePkg/Bus/Pci/SdMmcPciHcDxe/SdMmcPciHci.c > b/MdeModulePkg/Bus/Pci/SdMmcPciHcDxe/SdMmcPciHci.c > index b05c818462..da5559ae76 100644 > --- a/MdeModulePkg/Bus/Pci/SdMmcPciHcDxe/SdMmcPciHci.c > +++ b/MdeModulePkg/Bus/Pci/SdMmcPciHcDxe/SdMmcPciHci.c > @@ -2200,7 +2200,7 @@ SdMmcSoftwareReset ( >SD specification section 3.10. > >@param[in] PrivatePointer to driver private data. > - @param[in] TrbPointer to currently executing TRB. > + @param[in] Slot Index of the slot for device. >@param[in] IntStatus Normal interrupt status mask. > >@retval EFI_CRC_ERROR CRC error happened during CMD execution. > diff --git a/MdeModulePkg/MdeModulePkg.uni > b/MdeModulePkg/MdeModulePkg.uni > index cc18e53322..2c856ed073 100644 > --- a/MdeModulePkg/MdeModulePkg.uni > +++ b/MdeModulePkg/MdeModulePkg.uni > @@ -1314,3 +1314,7 @@ > >"when the PCD is TRUE but > CPU doesn't support 5-Level Paging." > >" TRUE - 5-Level Paging will > be enabled." > >" FALSE - 5-Level Paging will > not be enabled." > + > +#string > STR_gEfiMdeModulePkgTokenSpaceGuid_PcdTcgPfpMeasurementRevision_PR > OMPT #language en-US "TCG Platform Firmware Profile revision" > + > +#string > STR_gEfiMdeModulePkgTokenSpaceGuid_PcdTcgPfpMeasurementRevision_HE > LP #language en-US "Indicates which TCG Platform Firmware Profile revision > the EDKII firmware follows." > -- > 2.17.1 > > > -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#54412): https://edk2.groups.io/g/devel/message/54412 Mute This Topic: https://groups.io/mt/71236336/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [edk2-platforms] [PATCH v2 4/4] WhiskeylakeOpenBoardPkg/UpXtreme: Add DSC and build files
Reviewed-by: Chasel Chiu > -Original Message- > From: Agyeman, Prince > Sent: Friday, February 14, 2020 1:55 AM > To: devel@edk2.groups.io > Cc: Chiu, Chasel ; Desimone, Nathaniel L > > Subject: [edk2-platforms] [PATCH v2 4/4] > WhiskeylakeOpenBoardPkg/UpXtreme: Add DSC and build files > > REF:https://bugzilla.tianocore.org/show_bug.cgi?id=2191 > > Adds the DSC and build files necessary to build the > UpXtreme board instance. > > Key files > = > * build_config.cfg - Board-specific build configuration file. > * OpenBoardPkg.dsc - The UpXtreme board description file. > * OpenBoardPkgPcd.dsc - Used for other PCD customization. > * OpenBoardPkg.fdf - The UpXtreme board flash file. > * OpenBoardPkgBuildOption.dsc - Sets build options Based > on PCD values. > > Co-authored-by: Michael Kubacki > Cc: Chasel Chiu > Cc: Nate DeSimone > Signed-off-by: Prince Agyeman > --- > Platform/Intel/Readme.md | 19 +- > .../UpXtreme/OpenBoardPkg.dsc | 448 +++ > .../UpXtreme/OpenBoardPkg.fdf | 708 > ++ > .../UpXtreme/OpenBoardPkgBuildOption.dsc | 154 > .../UpXtreme/OpenBoardPkgPcd.dsc | 409 ++ > .../UpXtreme/build_config.cfg | 35 + > Platform/Intel/build.cfg | 1 + > 7 files changed, 1772 insertions(+), 2 deletions(-) > create mode 100644 > Platform/Intel/WhiskeylakeOpenBoardPkg/UpXtreme/OpenBoardPkg.dsc > create mode 100644 > Platform/Intel/WhiskeylakeOpenBoardPkg/UpXtreme/OpenBoardPkg.fdf > create mode 100644 > Platform/Intel/WhiskeylakeOpenBoardPkg/UpXtreme/OpenBoardPkgBuildOpt > ion.dsc > create mode 100644 > Platform/Intel/WhiskeylakeOpenBoardPkg/UpXtreme/OpenBoardPkgPcd.dsc > create mode 100644 > Platform/Intel/WhiskeylakeOpenBoardPkg/UpXtreme/build_config.cfg > > diff --git a/Platform/Intel/Readme.md b/Platform/Intel/Readme.md > index 02d9517d19..55cf02a8ca 100644 > --- a/Platform/Intel/Readme.md > +++ b/Platform/Intel/Readme.md > @@ -59,6 +59,12 @@ A UEFI firmware implementation using MinPlatformPkg > is constructed using the fol > > ### **Supported Hardware** > > + AAEON > + > +| Machine Name | Supported Chipsets > | BoardPkg | Board Name | > +|| > --|| > +| UP Xtreme | Whiskey Lake > | WhiskeylakeOpenBoardPkg | UpXtreme | > + > Intel > > ***Intel Reference and Validation Platform*** > @@ -233,6 +239,9 @@ return back to the minimum platform caller. >| || > build settings, environment variables. >| || >| ||--WhiskeylakeOpenBoardPkg > + | || |--UpXtreme > + | || |---build_config.cfg: > UpXtreme specific build > + | || > settings environment variables. >| || |--WhiskeylakeURvp >| || |---build_config.cfg: > WhiskeylakeURvp specific build >| || > settings environment variables. > @@ -254,8 +263,14 @@ return back to the minimum platform caller. > 1. This firmware project has only been tested booting to Microsoft Windows > 10 x64 and Ubuntu 17.10 with AHCI mode. > > **WhiskeylakeOpenBoardPkg** > -1. This firmware project has only been tested booting to Microsoft Windows > 10 x64 with AHCI mode and Integrated Graphic > +1. This firmware project has mainly been tested booting to Microsoft > Windows 10 x64 with AHCI mode and Integrated Graphic > Device. > +2. UP Xtreme boards might hang during Windows 10 boot. > +3. Not all UP Xtreme boards are supported at this time. > +* The model below boots to x64 windows 10 home edition and Ubuntu > 18.04 > + * Xtreme Intel(R) Core(TM) i3-8145UE CPU @ 2.20GHz with 8GB RAM > + * Xtreme Intel(R) Core(TM) i7-8565U CPU @ 1.80GHz with 16GB RAM > +* Intel(R) Celeron(R) CPU 4305UE @ 2.00GHz with 4GB RAM hangs > during memory initialization > > ### **Package Builds** > > @@ -293,5 +308,5 @@ If you would like to help but are not sure where to > start some areas currently i > * Adding board ports for more motherboards and systems > * Adding Clang support > > -Please feel free to contact Michael Kubacki (michael.a.kubacki at intel.com) > and Isaac Oram (isaac.w.oram at intel.com) > +Please feel free to contact Isaac Oram (isaac.w.oram at intel.com) > if you would like to discuss contribution ideas. > diff --git > a/Platform/Intel/WhiskeylakeOpenBoardPkg/UpXtreme/OpenBoardPkg.dsc > b/Platform/Intel/WhiskeylakeOpenBoardPkg/UpXtreme/OpenBoardPkg.dsc > new file mode 100644 > index 00..2ab9cb03ea > --- /dev/null > +++ >
Re: [edk2-devel] [edk2-platforms] [PATCH v2 1/4] WhiskeylakeOpenBoardPkg/WhiskeylakeURvp: Remove BoardFuncInit
Reviewed-by: Chasel Chiu
> -Original Message-
> From: Agyeman, Prince
> Sent: Friday, February 14, 2020 1:55 AM
> To: devel@edk2.groups.io
> Cc: Chiu, Chasel ; Desimone, Nathaniel L
>
> Subject: [edk2-platforms] [PATCH v2 1/4]
> WhiskeylakeOpenBoardPkg/WhiskeylakeURvp: Remove BoardFuncInit
>
> Removes BoardFuncInit related functionality in WhiskeylakeURvp.
>
> Co-authored-by: Michael Kubacki
> Cc: Chasel Chiu
> Cc: Nate DeSimone
> Signed-off-by: Prince Agyeman
> ---
> .../Library/BoardInitLib/BoardFunc.c | 19
> .../Library/BoardInitLib/BoardFunc.h | 20 -
> .../Library/BoardInitLib/BoardFuncInit.c | 26 -
> .../BoardInitLib/BoardFuncInitPreMem.c| 29 +--
> .../BoardInitLib/BoardPchInitPreMemLib.c | 3 +-
> .../PeiMultiBoardInitPostMemLib.inf | 4 ---
> .../PeiWhiskeylakeURvpInitPostMemLib.c| 8 -
> .../PeiWhiskeylakeURvpInitPreMemLib.c | 10 +--
> 8 files changed, 9 insertions(+), 110 deletions(-) delete mode 100644
> Platform/Intel/WhiskeylakeOpenBoardPkg/WhiskeylakeURvp/Library/BoardIni
> tLib/BoardFunc.c
> delete mode 100644
> Platform/Intel/WhiskeylakeOpenBoardPkg/WhiskeylakeURvp/Library/BoardIni
> tLib/BoardFunc.h
> delete mode 100644
> Platform/Intel/WhiskeylakeOpenBoardPkg/WhiskeylakeURvp/Library/BoardIni
> tLib/BoardFuncInit.c
>
> diff --git
> a/Platform/Intel/WhiskeylakeOpenBoardPkg/WhiskeylakeURvp/Library/Board
> InitLib/BoardFunc.c
> b/Platform/Intel/WhiskeylakeOpenBoardPkg/WhiskeylakeURvp/Library/Board
> InitLib/BoardFunc.c
> deleted file mode 100644
> index 7a2fed9904..00
> ---
> a/Platform/Intel/WhiskeylakeOpenBoardPkg/WhiskeylakeURvp/Library/Board
> InitLib/BoardFunc.c
> +++ /dev/null
> @@ -1,19 +0,0 @@
> -/** @file
> - Board's PCD function hook.
> -
> -
> - Copyright (c) 2019, Intel Corporation. All rights reserved.
> - SPDX-License-Identifier: BSD-2-Clause-Patent -**/
> -
> -#include
> -
> -EFI_STATUS
> -PeiBoardSpecificInitPostMemNull (
> - VOID
> - )
> -{
> - return EFI_SUCCESS;
> -}
> -
> -
> diff --git
> a/Platform/Intel/WhiskeylakeOpenBoardPkg/WhiskeylakeURvp/Library/Board
> InitLib/BoardFunc.h
> b/Platform/Intel/WhiskeylakeOpenBoardPkg/WhiskeylakeURvp/Library/Board
> InitLib/BoardFunc.h
> deleted file mode 100644
> index 9e0ff8d033..00
> ---
> a/Platform/Intel/WhiskeylakeOpenBoardPkg/WhiskeylakeURvp/Library/Board
> InitLib/BoardFunc.h
> +++ /dev/null
> @@ -1,20 +0,0 @@
> -/** @file
> - Header file for Board Hook function intance.
> -
> -
> - Copyright (c) 2019, Intel Corporation. All rights reserved.
> - SPDX-License-Identifier: BSD-2-Clause-Patent -**/
> -
> -#ifndef _BOARD_FUNC_H_
> -#define _BOARD_FUNC_H_
> -
> -#include
> -
> -EFI_STATUS
> -PeiBoardSpecificInitPostMemNull (
> - VOID
> - );
> -
> -#endif // _BOARD_FUNC_H_
> -
> diff --git
> a/Platform/Intel/WhiskeylakeOpenBoardPkg/WhiskeylakeURvp/Library/Board
> InitLib/BoardFuncInit.c
> b/Platform/Intel/WhiskeylakeOpenBoardPkg/WhiskeylakeURvp/Library/Board
> InitLib/BoardFuncInit.c
> deleted file mode 100644
> index b8c69166ed..00
> ---
> a/Platform/Intel/WhiskeylakeOpenBoardPkg/WhiskeylakeURvp/Library/Board
> InitLib/BoardFuncInit.c
> +++ /dev/null
> @@ -1,26 +0,0 @@
> -/** @file
> - Source code for the board configuration init function in Post Memory init
> phase.
> -
> -
> - Copyright (c) 2019, Intel Corporation. All rights reserved.
> - SPDX-License-Identifier: BSD-2-Clause-Patent -**/
> -
> -#include "BoardFunc.h"
> -
> -/**
> - Board's PCD function hook init function for PEI post memory phase.
> -
> - @param[in] BoardId An unsigned integrer represent the board id.
> -
> - @retval EFI_SUCCESS The function completed successfully.
> -**/
> -EFI_STATUS
> -BoardFunctionInit (
> - IN UINT16 BoardId
> -)
> -{
> -
> - return EFI_SUCCESS;
> -}
> -
> diff --git
> a/Platform/Intel/WhiskeylakeOpenBoardPkg/WhiskeylakeURvp/Library/Board
> InitLib/BoardFuncInitPreMem.c
> b/Platform/Intel/WhiskeylakeOpenBoardPkg/WhiskeylakeURvp/Library/Board
> InitLib/BoardFuncInitPreMem.c
> index 1944a02bf1..06ff64da8d 100644
> ---
> a/Platform/Intel/WhiskeylakeOpenBoardPkg/WhiskeylakeURvp/Library/Board
> InitLib/BoardFuncInitPreMem.c
> +++
> b/Platform/Intel/WhiskeylakeOpenBoardPkg/WhiskeylakeURvp/Library/Boa
> +++ rdInitLib/BoardFuncInitPreMem.c
> @@ -2,39 +2,24 @@
>Source code for the board configuration init function in Post Memory init
> phase.
>
>
> - Copyright (c) 2019, Intel Corporation. All rights reserved.
> + Copyright (c) 2019 - 2020, Intel Corporation. All rights
> + reserved.
>SPDX-License-Identifier: BSD-2-Clause-Patent **/
>
> #include
> +
> //
> // Null function for nothing GOP VBT update.
> //
> VOID
> -GopVbtSpecificUpdateNull(
> +GopVbtSpecificUpdateNull (
>IN CHILD_STRUCT **ChildStructPtr
> -);
> + );
> +
> //
> // for CFL U DDR4
> //
> VOID
> -CflUDdr4GopVbtSpecificUpdate(
>
Re: [edk2-devel] [edk2-platforms] [PATCH v2 2/4] WhiskeylakeOpenBoardPkg: Add UpXtreme board ID
Reviewed-by: Chasel Chiu > -Original Message- > From: Agyeman, Prince > Sent: Friday, February 14, 2020 1:55 AM > To: devel@edk2.groups.io > Cc: Chiu, Chasel ; Desimone, Nathaniel L > > Subject: [edk2-platforms] [PATCH v2 2/4] WhiskeylakeOpenBoardPkg: Add > UpXtreme board ID > > REF:https://bugzilla.tianocore.org/show_bug.cgi?id=2191 > > Co-authored-by: Michael Kubacki > Cc: Chasel Chiu > Cc: Nate DeSimone > Signed-off-by: Prince Agyeman > --- > .../Intel/WhiskeylakeOpenBoardPkg/Include/PlatformBoardId.h | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git > a/Platform/Intel/WhiskeylakeOpenBoardPkg/Include/PlatformBoardId.h > b/Platform/Intel/WhiskeylakeOpenBoardPkg/Include/PlatformBoardId.h > index 3545b2a05c..4e8288b1f1 100644 > --- a/Platform/Intel/WhiskeylakeOpenBoardPkg/Include/PlatformBoardId.h > +++ b/Platform/Intel/WhiskeylakeOpenBoardPkg/Include/PlatformBoardId.h > @@ -1,8 +1,8 @@ > /** @file > -Defines Platform BoardIds > + Defines Whiskey Lake Platform Board IDs > > > - Copyright (c) 2019, Intel Corporation. All rights reserved. > + Copyright (c) 2019 - 2020, Intel Corporation. All rights > + reserved. >SPDX-License-Identifier: BSD-2-Clause-Patent **/ > > @@ -21,6 +21,7 @@ Defines Platform BoardIds > #define TypeTrad0x1 > #define TypeUltUlx 0x2 > > +#define BoardIdUpXtreme 0x10 > #define BoardIdWhiskeyLakeRvp 0x60 > > #define BoardIdUnknown1 0x > -- > 2.19.1.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#54409): https://edk2.groups.io/g/devel/message/54409 Mute This Topic: https://groups.io/mt/71247731/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v4] IntelSiliconPkg: FIT based shadow microcode PPI support.
V4 Changes:
Adjust EDKII_MICROCODE_SHADOW_INFO_HOB structure definition for
better alignment and understanding.
Add EFI_MICROCODE_STORAGE_TYPE_FLASH_CONTEXT structure definition.
Fix a typo in EFI_MICROCODE_STORAGE_TYPE_FLASH_GUID.
Merge ShadowMicrocodePei.h header into c file.
Correct file header description and copy right year.
V3 Changes:
Remove the feature PCD PcdCpuShadowMicrocodeByFit because the
whole FIT microcode shadow code is moved to this PEIM so platform
could disable this feature by not include PEIM now.
V2 Changes:
Rename EDKII_PEI_CPU_MICROCODE_ID to EDKII_PEI_MICROCODE_CPU_ID.
This patch adds a platform PEIM for FIT based shadow microcode PPI
support. A detailed design doc can be found here:
https://edk2.groups.io/g/devel/files/Designs/2020/0214/Support%20
the%202nd%20Microcode%20FV%20Flash%20Region.pdf
TEST: Tested on FIT enabled platform.
BZ: https://tianocore.acgmultimedia.com/show_bug.cgi?id=2449
Cc: Michael D Kinney
Cc: Ray Ni
Cc: Rangasai V Chaganty
Signed-off-by: Siyuan Fu
---
.../ShadowMicrocode/ShadowMicrocodePei.c | 435 ++
.../ShadowMicrocode/ShadowMicrocodePei.inf| 43 ++
.../Include/Guid/MicrocodeShadowInfoHob.h | 64 +++
.../Intel/IntelSiliconPkg/IntelSiliconPkg.dec | 8 +-
.../Intel/IntelSiliconPkg/IntelSiliconPkg.dsc | 3 +-
5 files changed, 551 insertions(+), 2 deletions(-)
create mode 100644
Silicon/Intel/IntelSiliconPkg/Feature/ShadowMicrocode/ShadowMicrocodePei.c
create mode 100644
Silicon/Intel/IntelSiliconPkg/Feature/ShadowMicrocode/ShadowMicrocodePei.inf
create mode 100644
Silicon/Intel/IntelSiliconPkg/Include/Guid/MicrocodeShadowInfoHob.h
diff --git
a/Silicon/Intel/IntelSiliconPkg/Feature/ShadowMicrocode/ShadowMicrocodePei.c
b/Silicon/Intel/IntelSiliconPkg/Feature/ShadowMicrocode/ShadowMicrocodePei.c
new file mode 100644
index 00..26c5368d1e
--- /dev/null
+++ b/Silicon/Intel/IntelSiliconPkg/Feature/ShadowMicrocode/ShadowMicrocodePei.c
@@ -0,0 +1,435 @@
+/** @file
+ FIT based microcode shadow PEIM.
+
+Copyright (c) 2020, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+//
+// Data structure for microcode patch information
+//
+typedef struct {
+ UINTNAddress;
+ UINTNSize;
+} MICROCODE_PATCH_INFO;
+
+/**
+ Shadow microcode update patches to memory.
+
+ The function is used for shadowing microcode update patches to a continuous
memory.
+ It shall allocate memory buffer and only shadow the microcode patches for
those
+ processors specified by MicrocodeCpuId array. The checksum verification may
be
+ skiped in this function so the caller must perform checksum verification
before
+ using the microcode patches in returned memory buffer.
+
+ @param[in] This The PPI instance pointer.
+ @param[in] CpuIdCount Number of elements in MicrocodeCpuId array.
+ @param[in] MicrocodeCpuId A pointer to an array of
EDKII_PEI_MICROCODE_CPU_ID
+ structures.
+ @param[out] BufferSize Pointer to receive the total size of Buffer.
+ @param[out] Buffer Pointer to receive address of allocated
memory
+ with microcode patches data in it.
+
+ @retval EFI_SUCCESS The microcode has been shadowed to memory.
+ @retval EFI_OUT_OF_RESOURCES The operation fails due to lack of
resources.
+
+**/
+EFI_STATUS
+ShadowMicrocode (
+ IN EDKII_PEI_SHADOW_MICROCODE_PPI*This,
+ IN UINTN CpuIdCount,
+ IN EDKII_PEI_MICROCODE_CPU_ID*MicrocodeCpuId,
+ OUT UINTN *BufferSize,
+ OUT VOID **Buffer
+ );
+
+
+EDKII_PEI_SHADOW_MICROCODE_PPI mPeiShadowMicrocodePpi = {
+ ShadowMicrocode
+};
+
+
+EFI_PEI_PPI_DESCRIPTOR mPeiShadowMicrocodePpiList[] = {
+ {
+EFI_PEI_PPI_DESCRIPTOR_PPI | EFI_PEI_PPI_DESCRIPTOR_TERMINATE_LIST,
+,
+
+ }
+};
+
+/**
+ Determine if a microcode patch matchs the specific processor signature and
flag.
+
+ @param[in] CpuIdCountNumber of elements in MicrocodeCpuId array.
+ @param[in] MicrocodeCpuIdA pointer to an array of
EDKII_PEI_MICROCODE_CPU_ID
+structures.
+ @param[in] ProcessorSignatureThe processor signature field value
+supported by a microcode patch.
+ @param[in] ProcessorFlagsThe prcessor flags field value supported by
+a microcode patch.
+
+ @retval TRUE The specified microcode patch will be loaded.
+ @retval FALSEThe specified microcode patch will not be loaded.
+**/
+BOOLEAN
+IsProcessorMatchedMicrocodePatch (
+ IN UINTN CpuIdCount,
+ IN EDKII_PEI_MICROCODE_CPU_ID
Re: [edk2-devel] [edk2-platforms] Building a platform: which edk2 revision to choose?
Felix: I always pull the latest edk2 and edk2-platform, then build it. Thanks Liming From: devel@edk2.groups.io On Behalf Of Felix Polyudov Sent: Friday, February 14, 2020 7:11 AM To: devel@edk2.groups.io Cc: Kubacki, Michael A Subject: [edk2-devel] [edk2-platforms] Building a platform: which edk2 revision to choose? I'm trying to build one of the board packages from the edk2-platform repository. (I'm building WhiskeylakeOpenBoardPkg, but I suspect the problem exists for most of the board packages). The build process fails (I'm using build instructions from https://github.com/tianocore/edk2-platforms/tree/master/Platform/Intel). I suspect this is happening because tip of the board package is not compatible with tip of the edk2 repo. Is there a defined way for me to figure out the latest working revisions of the edk2 repo (or the other 2 repos that are part of the project) that I should use? Thanks Felix P Please consider the environment before printing this email The information contained in this message may be confidential and proprietary to American Megatrends (AMI). This communication is intended to be read only by the individual or entity to whom it is addressed or by their designee. If the reader of this message is not the intended recipient, you are on notice that any distribution of this message, in any form, is strictly prohibited. Please promptly notify the sender by reply e-mail or by telephone at 770-246-8600, and then delete or destroy all copies of the transmission. -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#54406): https://edk2.groups.io/g/devel/message/54406 Mute This Topic: https://groups.io/mt/71255367/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH 6/9] SecurityPkg/DxeImageVerificationLib: Differentiate error and search result in IsCertHashFoundInDatabase(CVE-2019-14575)
Fine. Thanks for the update.
> -Original Message-
> From: Wang, Jian J
> Sent: Friday, February 14, 2020 11:32 AM
> To: Yao, Jiewen ; devel@edk2.groups.io
> Cc: Zhang, Chao B ; Laszlo Ersek
>
> Subject: RE: [PATCH 6/9] SecurityPkg/DxeImageVerificationLib: Differentiate
> error and search result in IsCertHashFoundInDatabase(CVE-2019-14575)
>
> Jiewen,
>
> > -Original Message-
> > From: Yao, Jiewen
> > Sent: Friday, February 14, 2020 8:54 AM
> > To: Wang, Jian J ; devel@edk2.groups.io
> > Cc: Zhang, Chao B ; Laszlo Ersek
> >
> > Subject: RE: [PATCH 6/9] SecurityPkg/DxeImageVerificationLib: Differentiate
> > error and search result in IsCertHashFoundInDatabase(CVE-2019-14575)
> >
> > 1) I prefer we do a little bit simple clean up in this series. Just name
> > change.
> > Maybe as patch-10.
> >
>
> Sure. I'll add it in v2.
>
> > 2) When PassTimestampCheck() need to be called? Only Dbx is found? Or even
> > the Dbx is broken?
> >
> > I prefer we need use a consistent rule.
> >
> > Case 1 in original patch:
> > if (!EFI_ERROR (Status) && PassTimestampCheck (AuthData, AuthDataSize,
> > > > )) {
> >
> > Case 2 in your email:
> > > VerifyStatus = PassTimestampCheck (AuthData, AuthDataSize,
> > > );
> > > if (!VerifyStatus) {
> >
> > It seems they are not consistent...
> >
>
> Just talked to Chao privately. He mentioned that RevocationTime might not
> be valid if Status != EFI_SUCCESS. So we should only call PassTimestampCheck()
> when Status == EFI_SUCCESS and IsFound == TRUE.
>
> Here's my new proposal (for case 1, case 2 is similar).
>
> Status = IsCertHashFoundInDatabase (...);
> if (EFI_ERROR(Status)) {
> //
> // Error in searching dbx. Consider it as 'found'. RevocationTime might
> // not be valid in such situation.
> //
> IsForbidden = TRUE;
> } else if (IsFound) {
> //
> // Found Cert in dbx successfully. Check the timestamp signature and
> // signing time to determine if the image can be trusted.
> //
> if (PassTimestampCheck (AuthData, AuthDataSize, )) {
> IsForbidden = FALSE;
> //
> // Pass DBT check. Continue to check other certs in image signer's
> cert list
> against DBX, DBT
> //
> continue;
> } else {
> IsForbidden = TRUE;
> DEBUG((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but
> signature failed the timestamp check.\n"));
> goto Done;
> }
> }
>
> If no objection, I'll include it in v2.
>
> Regards,
> Jian
> > Thank you
> > Yao Jiewen
> >
> >
> > > -Original Message-
> > > From: Wang, Jian J
> > > Sent: Thursday, February 13, 2020 11:08 PM
> > > To: Yao, Jiewen ; devel@edk2.groups.io
> > > Cc: Zhang, Chao B ; Laszlo Ersek
> > >
> > > Subject: RE: [PATCH 6/9] SecurityPkg/DxeImageVerificationLib:
> > > Differentiate
> > > error and search result in IsCertHashFoundInDatabase(CVE-2019-14575)
> > >
> > > Jiewen,
> > >
> > > Thanks for the comments.
> > >
> > > 1) You're right. IsCertHashFoundInDatabase is quite general and cause
> > > confusions between
> > > db and dbx situation. Since it's not newly introduced in this patch
> > > series, do
> you
> > > think it's ok
> > > to fix it in separate patch series later? Or do you prefer fix it in this
> > > patch
> series?
> > > I'm ok with
> > > both.
> > >
> > > 2) I checked both code again. I think you're right. Both callings are for
> > > dbx,
> any
> > > error Status
> > > should be taken as IsFound(==TRUE). What about following change for the
> > > second case?
> > > Please help double check if any logic hole here.
> > >
> > > Status = IsCertHashFoundInDatabase (...);
> > > if (EFI_ERROR (Status) || IsFound) {
> > > //
> > > // Check the timestamp signature and signing time to
> > > determine if
> the
> > > RootCert can be trusted.
> > > //
> > > VerifyStatus = PassTimestampCheck (AuthData, AuthDataSize,
> > > );
> > > if (!VerifyStatus) {
> > > DEBUG ((...));
> > > }
> > > } else {
> > > VerifyStatus = TRUE;
> > > }
> > >
> > > goto Done;
> > >
> > > Regards,
> > > Jian
> > >
> > > > -Original Message-
> > > > From: Yao, Jiewen
> > > > Sent: Thursday, February 13, 2020 6:11 PM
> > > > To: Wang, Jian J ; devel@edk2.groups.io
> > > > Cc: Zhang, Chao B ; Laszlo Ersek
> > > >
> > > > Subject: RE: [PATCH 6/9] SecurityPkg/DxeImageVerificationLib:
> Differentiate
> > > > error and search result in IsCertHashFoundInDatabase(CVE-2019-14575)
> > > >
> > > > Comment below:
> > > >
> > > > 1) I think the function name - IsCertHashFoundInDatabase() and the
> > > > implementation { DbxList = SignatureList; DbxSize =
> > > > SignatureListSize; }
> > bring
> > > > some confusion to me.
> > > >
> > > > If this is a *generic* database search
Re: [edk2-devel] [PATCH 6/9] SecurityPkg/DxeImageVerificationLib: Differentiate error and search result in IsCertHashFoundInDatabase(CVE-2019-14575)
Jiewen,
> -Original Message-
> From: Yao, Jiewen
> Sent: Friday, February 14, 2020 8:54 AM
> To: Wang, Jian J ; devel@edk2.groups.io
> Cc: Zhang, Chao B ; Laszlo Ersek
>
> Subject: RE: [PATCH 6/9] SecurityPkg/DxeImageVerificationLib: Differentiate
> error and search result in IsCertHashFoundInDatabase(CVE-2019-14575)
>
> 1) I prefer we do a little bit simple clean up in this series. Just name
> change.
> Maybe as patch-10.
>
Sure. I'll add it in v2.
> 2) When PassTimestampCheck() need to be called? Only Dbx is found? Or even
> the Dbx is broken?
>
> I prefer we need use a consistent rule.
>
> Case 1 in original patch:
> if (!EFI_ERROR (Status) && PassTimestampCheck (AuthData, AuthDataSize,
> > > )) {
>
> Case 2 in your email:
> > VerifyStatus = PassTimestampCheck (AuthData, AuthDataSize,
> > );
> > if (!VerifyStatus) {
>
> It seems they are not consistent...
>
Just talked to Chao privately. He mentioned that RevocationTime might not
be valid if Status != EFI_SUCCESS. So we should only call PassTimestampCheck()
when Status == EFI_SUCCESS and IsFound == TRUE.
Here's my new proposal (for case 1, case 2 is similar).
Status = IsCertHashFoundInDatabase (...);
if (EFI_ERROR(Status)) {
//
// Error in searching dbx. Consider it as 'found'. RevocationTime might
// not be valid in such situation.
//
IsForbidden = TRUE;
} else if (IsFound) {
//
// Found Cert in dbx successfully. Check the timestamp signature and
// signing time to determine if the image can be trusted.
//
if (PassTimestampCheck (AuthData, AuthDataSize, )) {
IsForbidden = FALSE;
//
// Pass DBT check. Continue to check other certs in image signer's cert
list against DBX, DBT
//
continue;
} else {
IsForbidden = TRUE;
DEBUG((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but
signature failed the timestamp check.\n"));
goto Done;
}
}
If no objection, I'll include it in v2.
Regards,
Jian
> Thank you
> Yao Jiewen
>
>
> > -Original Message-
> > From: Wang, Jian J
> > Sent: Thursday, February 13, 2020 11:08 PM
> > To: Yao, Jiewen ; devel@edk2.groups.io
> > Cc: Zhang, Chao B ; Laszlo Ersek
> >
> > Subject: RE: [PATCH 6/9] SecurityPkg/DxeImageVerificationLib: Differentiate
> > error and search result in IsCertHashFoundInDatabase(CVE-2019-14575)
> >
> > Jiewen,
> >
> > Thanks for the comments.
> >
> > 1) You're right. IsCertHashFoundInDatabase is quite general and cause
> > confusions between
> > db and dbx situation. Since it's not newly introduced in this patch series,
> > do you
> > think it's ok
> > to fix it in separate patch series later? Or do you prefer fix it in this
> > patch series?
> > I'm ok with
> > both.
> >
> > 2) I checked both code again. I think you're right. Both callings are for
> > dbx, any
> > error Status
> > should be taken as IsFound(==TRUE). What about following change for the
> > second case?
> > Please help double check if any logic hole here.
> >
> > Status = IsCertHashFoundInDatabase (...);
> > if (EFI_ERROR (Status) || IsFound) {
> > //
> > // Check the timestamp signature and signing time to
> > determine if the
> > RootCert can be trusted.
> > //
> > VerifyStatus = PassTimestampCheck (AuthData, AuthDataSize,
> > );
> > if (!VerifyStatus) {
> > DEBUG ((...));
> > }
> > } else {
> > VerifyStatus = TRUE;
> > }
> >
> > goto Done;
> >
> > Regards,
> > Jian
> >
> > > -Original Message-
> > > From: Yao, Jiewen
> > > Sent: Thursday, February 13, 2020 6:11 PM
> > > To: Wang, Jian J ; devel@edk2.groups.io
> > > Cc: Zhang, Chao B ; Laszlo Ersek
> > >
> > > Subject: RE: [PATCH 6/9] SecurityPkg/DxeImageVerificationLib:
> > > Differentiate
> > > error and search result in IsCertHashFoundInDatabase(CVE-2019-14575)
> > >
> > > Comment below:
> > >
> > > 1) I think the function name - IsCertHashFoundInDatabase() and the
> > > implementation { DbxList = SignatureList; DbxSize =
> > > SignatureListSize; }
> bring
> > > some confusion to me.
> > >
> > > If this is a *generic* database search function, I recommend we use a
> generic
> > > name - not use DbxList/DbxSize in the function implementation.
> > >
> > > If the input SignatureList of the function must be *Dbx*, I recommend we
> use
> > > IsCertHashFoundInDbx() as the function name.
> > >
> > > Either change is OK for me.
> > >
> > > 2) Now we have to check 2 output: Status and IsFound in
> > > IsCertHashFoundInDatabase().
> > >
> > > I am struggling to understand the different between 2 different ways of
> > > error
> > > handling:
> > >
> > > ===
> > > Status = IsCertHashFoundInDatabase (Cert, CertSize,
> (EFI_SIGNATURE_LIST
> > > *)Data,
[edk2-devel] OVMF and MEMFD_BASE_ADDRESS values.
I'm trying to understand the constraints around the value used with MEMFD_BASE_ADDRESS? The reason I'm asking is I've been asked to remove firmware from using lower memory addresses in the low 0x80 range as it is taking up too many ASLR bits in low memory VMs or some such. At least on my OVMF config that seems to be PcdOvmfLockBoxStorageBase and PcdOvmfPeiMemFvBase. It is easy enough to move MEMFD_BASE_ADDRESS to a much higher address, but I'm not sure if there are any restrictions to the addresses I can use? Thanks, Andrew Fish -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#54403): https://edk2.groups.io/g/devel/message/54403 Mute This Topic: https://groups.io/mt/71261334/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v3] IntelSiliconPkg: FIT based shadow microcode PPI support.
Hi Mike
See my reply for the ASSERT and magic number around FIT table parsing code.
> -Original Message-
> From: Kinney, Michael D
> Sent: 2020年2月13日 8:58
> To: devel@edk2.groups.io; Fu, Siyuan ; Kinney, Michael
> D
> Cc: Ni, Ray ; Chaganty, Rangasai V
>
> Subject: RE: [edk2-devel] [PATCH v3] IntelSiliconPkg: FIT based shadow
> microcode PPI support.
>
> Siyuan,
>
> IntelSiliconPkg/Feature/ShadowMicrocode:
>
> For simple modules that only have a single .c file, there
> Is not need to split out a .h file. Please merge the .h
> File content into the .c file and delete the .h file.
>
> More comments inline below.
>
> Mike
>
> > -Original Message-
> > From: devel@edk2.groups.io On
> > Behalf Of Siyuan, Fu
> > Sent: Tuesday, February 11, 2020 4:48 PM
> > To: devel@edk2.groups.io
> > Cc: Ni, Ray ; Chaganty, Rangasai V
> >
> > Subject: [edk2-devel] [PATCH v3] IntelSiliconPkg: FIT
> > based shadow microcode PPI support.
> >
> > V3 Changes:
> > Remove the feature PCD PcdCpuShadowMicrocodeByFit
> > because the whole FIT microcode shadow code is moved to
> > this PEIM so platform could disable this feature by not
> > include PEIM now.
> >
> > V2 Changes:
> > Rename EDKII_PEI_CPU_MICROCODE_ID to
> > EDKII_PEI_MICROCODE_CPU_ID.
> >
> > This patch adds a platform PEIM for FIT based shadow
> > microcode PPI support. A detailed design doc can be
> > found here:
> > https://edk2.groups.io/g/devel/files/Designs/2020/0214/
> > Support%20
> > the%202nd%20Microcode%20FV%20Flash%20Region.pdf
Trim long patch content.
> > +
> > +**/
> > +EFI_STATUS
> > +ShadowMicrocodePatchByFit (
> > + IN UINTN
> > CpuIdCount,
> > + IN EDKII_PEI_MICROCODE_CPU_ID
> > *MicrocodeCpuId,
> > + OUT UINTN
> > *BufferSize,
> > + OUT VOID **Buffer
> > + )
> > +{
> > + UINT64FitPointer;
> > + FIRMWARE_INTERFACE_TABLE_ENTRY*FitEntry;
> > + UINT32EntryNum;
> > + UINT32Index;
> > + MICROCODE_PATCH_INFO *PatchInfoBuffer;
> > + UINTN MaxPatchNumber;
> > + CPU_MICROCODE_HEADER
> > *MicrocodeEntryPoint;
> > + UINTN PatchCount;
> > + UINTN TotalSize;
> > + UINTN TotalLoadSize;
> > +
> > + FitPointer = *(UINT64 *) (UINTN)
> > FIT_POINTER_ADDRESS; if
> > + ((FitPointer == 0) ||
> > + (FitPointer == 0x) ||
> > + (FitPointer == 0x)) {
>
> Are these constants defined in the FIT include file?
> Would be better if they are #defines from FIT include
> file or in this module.
These values are not defined in FIT include file or FIT specification.
The only way to identify if FIT table is exist in FIT spec is the _FIT_
signature, which defined in FIT header file as
FIT_TYPE_00_SIGNATURE and check below.
This if check is copied from the InitializeFitMicrocodeInfo() function
in
Silicon\Intel\IntelSiliconPkg\Feature\Capsule\MicrocodeUpdateDxe\MicrocodeFmp.c.
I think it just assumes the default value of flash content is 0xFF
or 0xEE and check that.
This is also why I use ASSERT if the flash content doesn't seems
like a valid FIT table in below if checks. FIT boot is critical to
processor microcode load and BIOS RTU setup. And including
this PEIM into the platform means the platform owner want to
use FIT based boot and microcode loading. These ASSERTs would
be helpful to let them if the FIT table content is invalid in a DEBUG
version BIOS image.
>
> > +//
> > +// No FIT table.
> > +//
> > +ASSERT (FALSE);
>
> Is it appropriate to ASSERT() here? Can this be removed?
> Would a DEBUG_ERROR message be better?
>
> > +return EFI_NOT_FOUND;
> > + }
> > + FitEntry = (FIRMWARE_INTERFACE_TABLE_ENTRY *)
> > (UINTN) FitPointer; if
> > + ((FitEntry[0].Type != FIT_TYPE_00_HEADER) ||
> > + (FitEntry[0].Address != FIT_TYPE_00_SIGNATURE))
> > {
> > +//
> > +// Invalid FIT table, treat it as no FIT table.
> > +//
> > +ASSERT (FALSE);
>
> Is it appropriate to ASSERT() here? Can this be removed?
> Would a DEBUG_ERROR message be better?
>
> > +return EFI_NOT_FOUND;
> > + }
> > +
> > + EntryNum = *(UINT32 *)([0].Size[0]) &
> > 0xFF;
> > +
> > + //
> > + // Calculate microcode entry number
> > + //
> > + MaxPatchNumber = 0;
> > + for (Index = 0; Index < EntryNum; Index++) {
> > +if (FitEntry[Index].Type == FIT_TYPE_01_MICROCODE)
> > {
> > + MaxPatchNumber++;
> > +}
> > + }
> > + if (MaxPatchNumber == 0) {
> > +return EFI_NOT_FOUND;
> > + }
> > +
> > + PatchInfoBuffer = AllocatePool (MaxPatchNumber *
> > sizeof
> > + (MICROCODE_PATCH_INFO)); if (PatchInfoBuffer ==
> > NULL) {
> > +return EFI_OUT_OF_RESOURCES;
> > + }
> > +
> > + //
> > + // Fill up microcode patch info buffer according to
> > FIT table.
> > + //
> > + PatchCount = 0;
> > + TotalLoadSize = 0;
> > +
Re: [edk2-devel] [PATCH 2/3] MdeModulePkg: Issues reported by ECC in EDK2.
Reviewed-by: Liming Gao > -Original Message- > From: devel@edk2.groups.io On Behalf Of GuoMinJ > Sent: Thursday, February 13, 2020 4:34 PM > To: devel@edk2.groups.io > Cc: GuoMinJ > Subject: [edk2-devel] [PATCH 2/3] MdeModulePkg: Issues reported by ECC in > EDK2. > > https://bugzilla.tianocore.org/show_bug.cgi?id=2515 > > Change the MdeModulePkg to match the ECC check rule > > Signed-off-by: GuoMinJ > --- > MdeModulePkg/Bus/Pci/PciBusDxe/PciEnumeratorSupport.c | 4 ++-- > MdeModulePkg/Bus/Pci/SdMmcPciHcDxe/SdMmcPciHci.c | 2 +- > MdeModulePkg/MdeModulePkg.uni | 4 > 3 files changed, 7 insertions(+), 3 deletions(-) > > diff --git a/MdeModulePkg/Bus/Pci/PciBusDxe/PciEnumeratorSupport.c > b/MdeModulePkg/Bus/Pci/PciBusDxe/PciEnumeratorSupport.c > index f8020f4e72..6c68a97d4e 100644 > --- a/MdeModulePkg/Bus/Pci/PciBusDxe/PciEnumeratorSupport.c > +++ b/MdeModulePkg/Bus/Pci/PciBusDxe/PciEnumeratorSupport.c > @@ -2071,7 +2071,7 @@ InitializeP2C ( >PciIo->Pci.Write (PciIo, EfiPciIoWidthUint8, 0x3C, 1, ); > } > > -/* > +/** >Authenticate the PCI device by using DeviceSecurityProtocol. > >@param PciIoDevice PCI device. > @@ -2079,7 +2079,7 @@ InitializeP2C ( >@retval EFI_SUCCESS The device passes the authentication. >@return not EFI_SUCCESS The device failes the authentication or >unexpected error happen during authentication. > -*/ > +**/ > EFI_STATUS > AuthenticatePciDevice ( >IN PCI_IO_DEVICE*PciIoDevice > diff --git a/MdeModulePkg/Bus/Pci/SdMmcPciHcDxe/SdMmcPciHci.c > b/MdeModulePkg/Bus/Pci/SdMmcPciHcDxe/SdMmcPciHci.c > index b05c818462..da5559ae76 100644 > --- a/MdeModulePkg/Bus/Pci/SdMmcPciHcDxe/SdMmcPciHci.c > +++ b/MdeModulePkg/Bus/Pci/SdMmcPciHcDxe/SdMmcPciHci.c > @@ -2200,7 +2200,7 @@ SdMmcSoftwareReset ( >SD specification section 3.10. > >@param[in] PrivatePointer to driver private data. > - @param[in] TrbPointer to currently executing TRB. > + @param[in] Slot Index of the slot for device. >@param[in] IntStatus Normal interrupt status mask. > >@retval EFI_CRC_ERROR CRC error happened during CMD execution. > diff --git a/MdeModulePkg/MdeModulePkg.uni b/MdeModulePkg/MdeModulePkg.uni > index cc18e53322..2c856ed073 100644 > --- a/MdeModulePkg/MdeModulePkg.uni > +++ b/MdeModulePkg/MdeModulePkg.uni > @@ -1314,3 +1314,7 @@ > >"when the PCD is TRUE but CPU doesn't support 5-Level Paging." > >" TRUE - 5-Level Paging will be enabled." > >" FALSE - 5-Level Paging will not be enabled." > + > +#string > STR_gEfiMdeModulePkgTokenSpaceGuid_PcdTcgPfpMeasurementRevision_PROMPT > #language en-US "TCG Platform Firmware > Profile revision" > + > +#string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdTcgPfpMeasurementRevision_HELP > #language en-US "Indicates which TCG > Platform Firmware Profile revision the EDKII firmware follows." > -- > 2.17.1 > > > -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#54401): https://edk2.groups.io/g/devel/message/54401 Mute This Topic: https://groups.io/mt/71236336/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [edk2-platforms] Building a platform: which edk2 revision to choose?
Hi Felix, Can you include a log or details of the build error you're seeing ? Also what are the FSP , edk2-non-osi, edk2-platform and edk2 commit IDs you are using ? Thanks Prince Prince From: devel@edk2.groups.io On Behalf Of Felix Polyudov Sent: Thursday, February 13, 2020 3:11 PM To: devel@edk2.groups.io Cc: Kubacki, Michael A Subject: [edk2-devel] [edk2-platforms] Building a platform: which edk2 revision to choose? I'm trying to build one of the board packages from the edk2-platform repository. (I'm building WhiskeylakeOpenBoardPkg, but I suspect the problem exists for most of the board packages). The build process fails (I'm using build instructions from https://github.com/tianocore/edk2-platforms/tree/master/Platform/Intel). I suspect this is happening because tip of the board package is not compatible with tip of the edk2 repo. Is there a defined way for me to figure out the latest working revisions of the edk2 repo (or the other 2 repos that are part of the project) that I should use? Thanks Felix P Please consider the environment before printing this email The information contained in this message may be confidential and proprietary to American Megatrends (AMI). This communication is intended to be read only by the individual or entity to whom it is addressed or by their designee. If the reader of this message is not the intended recipient, you are on notice that any distribution of this message, in any form, is strictly prohibited. Please promptly notify the sender by reply e-mail or by telephone at 770-246-8600, and then delete or destroy all copies of the transmission. -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#54400): https://edk2.groups.io/g/devel/message/54400 Mute This Topic: https://groups.io/mt/71255367/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [RFC PATCH 1/1] OvmfPkg: add 'initrd' shell command to expose Linux initrd via device path
> -Original Message-
> From: Laszlo Ersek
> Sent: Friday, February 14, 2020 7:15 AM
> To: Ni, Ray ; devel@edk2.groups.io; Ard Biesheuvel
>
> Cc: l...@nuviainc.com; phi...@redhat.com; Gao, Zhichao
>
> Subject: Re: [edk2-devel] [RFC PATCH 1/1] OvmfPkg: add 'initrd' shell
> command to expose Linux initrd via device path
>
> On 02/12/20 15:21, Ni, Ray wrote:
> >> (3) However: I think this should be added as a Dynamic Command instead.
> >> I'm basing this on the message of commit 0961002352e9 ("ShellPkg/tftp:
> >> Convert from NULL class library to Dynamic Command", 2017-11-28),
> which
> >> is the first commit in edk2 ever to introduce a Dynamic Command.
> >>
> >> And the commit message there says:
> >>
> >> The guideline is:
> >> 1. Only use NULL class library for Shell spec defined commands.
> >> 2. New commands can be provided as not only a standalone application
> >>but also a dynamic command. So it can be used either as an
> >>internal command, but also as a standalone application.
> >>
> >> I'm not asking for the command to be usable as a separate application,
> >> but I think we might want to follow the first guideline.
> >>
> >> (I've checked the UEFI Shell 2.2 spec. While it talks about dynamic
> >> commands, it does not seem to spell out guideline#1. So I think it's
> >> rather an edk2-specific guideline than a standard one. Nonetheless we
> >> might want to adhere to it.)
> >
> > Laszlo, thanks for the comments.
> > I didn't remember that I said these guideline publicly.
> > The reason behind that is we can have the same shell binary everywhere
> > and new non-spec commands can be added through dynamic command
> without
> > impacting the shell binary.
>
> Thanks for the explanation -- this means that the NULL class lib
> approach is good for OvmfPkg after all. I'm putting the remaining parts
> of this patch back on my review queue (it will take a while).
Please don't misunderstand my points. I still prefer to use dynamic commands
for all non-spec defined shell internal commands.
Sorry for the confusion caused by my previous mail.
>
> Thanks
> Laszlo
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#54399): https://edk2.groups.io/g/devel/message/54399
Mute This Topic: https://groups.io/mt/71177416/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v4 07/40] UefiCpuPkg: Implement library support for VMGEXIT
Hi Tom,
For this patch, I found the function implementations not have function header
comments for them. This is not follow edk2 coding style, please update them.
Thanks,
Eric
-Original Message-
From: devel@edk2.groups.io On Behalf Of Lendacky, Thomas
Sent: Wednesday, February 5, 2020 7:01 AM
To: devel@edk2.groups.io
Cc: Justen, Jordan L ; Laszlo Ersek
; Ard Biesheuvel ; Kinney,
Michael D ; Gao, Liming ;
Dong, Eric ; Ni, Ray ; Brijesh Singh
Subject: [edk2-devel] [PATCH v4 07/40] UefiCpuPkg: Implement library support
for VMGEXIT
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
To support issuing a VMGEXIT instruction, create a library that can be used to
perform GHCB and VMGEXIT related operations and to issue the actual VMGEXIT
instruction when using the GHCB.
Additionally, two VMGEXIT / MMIO related functions are created to support flash
emulation. Flash emulation currently is done by marking the flash area as
read-only and taking a nested page fault to perform the emulation of the
instruction. However, emulation cannot be performed because there is no
instruction decode assist support when SEV-ES is enabled. Provide routines to
initiate an MMIO request to perform actual writes to flash.
Cc: Eric Dong
Cc: Ray Ni
Cc: Laszlo Ersek
Acked-by: Laszlo Ersek
Signed-off-by: Tom Lendacky
---
UefiCpuPkg/UefiCpuPkg.dec| 3 +
UefiCpuPkg/UefiCpuPkg.dsc| 5 +
UefiCpuPkg/Library/VmgExitLib/VmgExitLib.inf | 33
UefiCpuPkg/Include/Library/VmgExitLib.h | 111 +++
UefiCpuPkg/Library/VmgExitLib/VmgExitLib.c | 187 +++
UefiCpuPkg/Library/VmgExitLib/VmgExitLib.uni | 15 ++
6 files changed, 354 insertions(+)
create mode 100644 UefiCpuPkg/Library/VmgExitLib/VmgExitLib.inf
create mode 100644 UefiCpuPkg/Include/Library/VmgExitLib.h
create mode 100644 UefiCpuPkg/Library/VmgExitLib/VmgExitLib.c
create mode 100644 UefiCpuPkg/Library/VmgExitLib/VmgExitLib.uni
diff --git a/UefiCpuPkg/UefiCpuPkg.dec b/UefiCpuPkg/UefiCpuPkg.dec index
005703d8a3e7..893d2d06b0f2 100644
--- a/UefiCpuPkg/UefiCpuPkg.dec
+++ b/UefiCpuPkg/UefiCpuPkg.dec
@@ -53,6 +53,9 @@ [LibraryClasses.IA32, LibraryClasses.X64]
##
MpInitLib|Include/Library/MpInitLib.h
+ ## @libraryclass Provides function to support VMGEXIT processing.
+ VmgExitLib|Include/Library/VmgExitLib.h
+
[Guids]
gUefiCpuPkgTokenSpaceGuid = { 0xac05bf33, 0x995a, 0x4ed4, { 0xaa, 0xb8,
0xef, 0x7a, 0xe8, 0xf, 0x5c, 0xb0 }}
gMsegSmramGuid = { 0x5802bce4, 0x, 0x4e33, { 0xa1, 0x30,
0xeb, 0xad, 0x27, 0xf0, 0xe4, 0x39 }}
diff --git a/UefiCpuPkg/UefiCpuPkg.dsc b/UefiCpuPkg/UefiCpuPkg.dsc index
d28cb5cccb52..5ab7e423e8ab 100644
--- a/UefiCpuPkg/UefiCpuPkg.dsc
+++ b/UefiCpuPkg/UefiCpuPkg.dsc
@@ -63,6 +63,7 @@ [LibraryClasses.common.SEC]
HobLib|MdePkg/Library/PeiHobLib/PeiHobLib.inf
PeiServicesTablePointerLib|MdePkg/Library/PeiServicesTablePointerLibIdt/PeiServicesTablePointerLibIdt.inf
MemoryAllocationLib|MdePkg/Library/PeiMemoryAllocationLib/PeiMemoryAllocationLib.inf
+ VmgExitLib|UefiCpuPkg/Library/VmgExitLib/VmgExitLib.inf
[LibraryClasses.common.PEIM]
MemoryAllocationLib|MdePkg/Library/PeiMemoryAllocationLib/PeiMemoryAllocationLib.inf
@@ -74,6 +75,7 @@ [LibraryClasses.common.PEIM] [LibraryClasses.IA32.PEIM,
LibraryClasses.X64.PEIM]
PeiServicesTablePointerLib|MdePkg/Library/PeiServicesTablePointerLibIdt/PeiServicesTablePointerLibIdt.inf
CpuExceptionHandlerLib|UefiCpuPkg/Library/CpuExceptionHandlerLib/PeiCpuExceptionHandlerLib.inf
+ VmgExitLib|UefiCpuPkg/Library/VmgExitLib/VmgExitLib.inf
[LibraryClasses.common.DXE_DRIVER]
MemoryAllocationLib|MdePkg/Library/UefiMemoryAllocationLib/UefiMemoryAllocationLib.inf
@@ -81,12 +83,14 @@ [LibraryClasses.common.DXE_DRIVER]
CpuExceptionHandlerLib|UefiCpuPkg/Library/CpuExceptionHandlerLib/DxeCpuExceptionHandlerLib.inf
MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf
RegisterCpuFeaturesLib|UefiCpuPkg/Library/RegisterCpuFeaturesLib/DxeRegisterCpuFeaturesLib.inf
+ VmgExitLib|UefiCpuPkg/Library/VmgExitLib/VmgExitLib.inf
[LibraryClasses.common.DXE_SMM_DRIVER]
SmmServicesTableLib|MdePkg/Library/SmmServicesTableLib/SmmServicesTableLib.inf
MemoryAllocationLib|MdePkg/Library/SmmMemoryAllocationLib/SmmMemoryAllocationLib.inf
HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf
CpuExceptionHandlerLib|UefiCpuPkg/Library/CpuExceptionHandlerLib/SmmCpuExceptionHandlerLib.inf
+ VmgExitLib|UefiCpuPkg/Library/VmgExitLib/VmgExitLib.inf
[LibraryClasses.common.UEFI_APPLICATION]
UefiApplicationEntryPoint|MdePkg/Library/UefiApplicationEntryPoint/UefiApplicationEntryPoint.inf
@@ -136,6 +140,7 @@ [Components.IA32, Components.X64]
UefiCpuPkg/Library/SmmCpuPlatformHookLibNull/SmmCpuPlatformHookLibNull.inf
UefiCpuPkg/Library/SmmCpuFeaturesLib/SmmCpuFeaturesLib.inf
UefiCpuPkg/Library/SmmCpuFeaturesLib/SmmCpuFeaturesLibStm.inf
+
[edk2-devel] [PATCH v3 2/2] CryptoPkg/OpensslLib: Remove "no-autoalginit" flag from OpenSSL build
This is enabling a future EVP implementation to utilize the
EVP_get_digestbyname() function.
Cc: Jian J Wang
Cc: Xiaoyu Lu
Signed-off-by: Christopher J Zurcher
---
CryptoPkg/Library/Include/openssl/opensslconf.h | 3 ---
CryptoPkg/Library/OpensslLib/process_files.pl | 1 -
2 files changed, 4 deletions(-)
diff --git a/CryptoPkg/Library/Include/openssl/opensslconf.h
b/CryptoPkg/Library/Include/openssl/opensslconf.h
index 2b4d538e92..bd34e53ef2 100644
--- a/CryptoPkg/Library/Include/openssl/opensslconf.h
+++ b/CryptoPkg/Library/Include/openssl/opensslconf.h
@@ -109,9 +109,6 @@ extern "C" {
#ifndef OPENSSL_NO_ASYNC
# define OPENSSL_NO_ASYNC
#endif
-#ifndef OPENSSL_NO_AUTOALGINIT
-# define OPENSSL_NO_AUTOALGINIT
-#endif
#ifndef OPENSSL_NO_AUTOERRINIT
# define OPENSSL_NO_AUTOERRINIT
#endif
diff --git a/CryptoPkg/Library/OpensslLib/process_files.pl
b/CryptoPkg/Library/OpensslLib/process_files.pl
index 11cd58cc4e..4ba25da407 100755
--- a/CryptoPkg/Library/OpensslLib/process_files.pl
+++ b/CryptoPkg/Library/OpensslLib/process_files.pl
@@ -51,7 +51,6 @@ BEGIN {
"no-afalgeng",
"no-asm",
"no-async",
-"no-autoalginit",
"no-autoerrinit",
"no-autoload-config",
"no-bf",
--
2.16.2.windows.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#54396): https://edk2.groups.io/g/devel/message/54396
Mute This Topic: https://groups.io/mt/71257219/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v3 1/2] CryptoPkg/OpensslLib: Add "sort" keyword to header file parsing loop
This prevents the .inf files from being randomized after every run of process_files.pl. Cc: Jian J Wang Cc: Xiaoyu Lu Signed-off-by: Christopher J Zurcher --- CryptoPkg/Library/OpensslLib/OpensslLib.inf | 66 ++-- CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf | 62 +- CryptoPkg/Library/OpensslLib/process_files.pl | 4 +- 3 files changed, 66 insertions(+), 66 deletions(-) diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf index 3fa52f5543..3519a66885 100644 --- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf +++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf @@ -1,7 +1,7 @@ ## @file # This module provides OpenSSL Library implementation. # -# Copyright (c) 2010 - 2019, Intel Corporation. All rights reserved. +# Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved. # SPDX-License-Identifier: BSD-2-Clause-Patent # ## @@ -494,57 +494,57 @@ $(OPENSSL_PATH)/crypto/x509v3/v3_tlsf.c $(OPENSSL_PATH)/crypto/x509v3/v3_utl.c $(OPENSSL_PATH)/crypto/x509v3/v3err.c - $(OPENSSL_PATH)/crypto/hmac/hmac_lcl.h - $(OPENSSL_PATH)/crypto/dh/dh_locl.h - $(OPENSSL_PATH)/crypto/bio/bio_lcl.h - $(OPENSSL_PATH)/crypto/conf/conf_def.h - $(OPENSSL_PATH)/crypto/conf/conf_lcl.h - $(OPENSSL_PATH)/crypto/lhash/lhash_lcl.h - $(OPENSSL_PATH)/crypto/sha/sha_locl.h - $(OPENSSL_PATH)/crypto/md5/md5_locl.h - $(OPENSSL_PATH)/crypto/store/store_locl.h - $(OPENSSL_PATH)/crypto/dso/dso_locl.h - $(OPENSSL_PATH)/crypto/pkcs12/p12_lcl.h $(OPENSSL_PATH)/crypto/arm_arch.h $(OPENSSL_PATH)/crypto/mips_arch.h $(OPENSSL_PATH)/crypto/ppc_arch.h $(OPENSSL_PATH)/crypto/s390x_arch.h $(OPENSSL_PATH)/crypto/sparc_arch.h $(OPENSSL_PATH)/crypto/vms_rms.h - $(OPENSSL_PATH)/crypto/bn/bn_lcl.h - $(OPENSSL_PATH)/crypto/bn/bn_prime.h - $(OPENSSL_PATH)/crypto/bn/rsaz_exp.h - $(OPENSSL_PATH)/crypto/ui/ui_locl.h - $(OPENSSL_PATH)/crypto/md4/md4_locl.h - $(OPENSSL_PATH)/crypto/rc4/rc4_locl.h + $(OPENSSL_PATH)/crypto/aes/aes_locl.h $(OPENSSL_PATH)/crypto/asn1/asn1_item_list.h $(OPENSSL_PATH)/crypto/asn1/asn1_locl.h $(OPENSSL_PATH)/crypto/asn1/charmap.h $(OPENSSL_PATH)/crypto/asn1/standard_methods.h $(OPENSSL_PATH)/crypto/asn1/tbl_standard.h - $(OPENSSL_PATH)/crypto/evp/evp_locl.h - $(OPENSSL_PATH)/crypto/rand/rand_lcl.h - $(OPENSSL_PATH)/crypto/ocsp/ocsp_lcl.h - $(OPENSSL_PATH)/crypto/modes/modes_lcl.h - $(OPENSSL_PATH)/crypto/comp/comp_lcl.h - $(OPENSSL_PATH)/crypto/rsa/rsa_locl.h - $(OPENSSL_PATH)/crypto/x509/x509_lcl.h + $(OPENSSL_PATH)/crypto/async/async_locl.h $(OPENSSL_PATH)/crypto/async/arch/async_null.h $(OPENSSL_PATH)/crypto/async/arch/async_posix.h $(OPENSSL_PATH)/crypto/async/arch/async_win.h - $(OPENSSL_PATH)/crypto/sm3/sm3_locl.h + $(OPENSSL_PATH)/crypto/bio/bio_lcl.h + $(OPENSSL_PATH)/crypto/bn/bn_lcl.h + $(OPENSSL_PATH)/crypto/bn/bn_prime.h + $(OPENSSL_PATH)/crypto/bn/rsaz_exp.h + $(OPENSSL_PATH)/crypto/comp/comp_lcl.h + $(OPENSSL_PATH)/crypto/conf/conf_def.h + $(OPENSSL_PATH)/crypto/conf/conf_lcl.h $(OPENSSL_PATH)/crypto/des/des_locl.h $(OPENSSL_PATH)/crypto/des/spr.h + $(OPENSSL_PATH)/crypto/dh/dh_locl.h + $(OPENSSL_PATH)/crypto/dso/dso_locl.h + $(OPENSSL_PATH)/crypto/evp/evp_locl.h + $(OPENSSL_PATH)/crypto/hmac/hmac_lcl.h + $(OPENSSL_PATH)/crypto/lhash/lhash_lcl.h + $(OPENSSL_PATH)/crypto/md4/md4_locl.h + $(OPENSSL_PATH)/crypto/md5/md5_locl.h + $(OPENSSL_PATH)/crypto/modes/modes_lcl.h + $(OPENSSL_PATH)/crypto/objects/obj_dat.h + $(OPENSSL_PATH)/crypto/objects/obj_lcl.h + $(OPENSSL_PATH)/crypto/objects/obj_xref.h + $(OPENSSL_PATH)/crypto/ocsp/ocsp_lcl.h + $(OPENSSL_PATH)/crypto/pkcs12/p12_lcl.h + $(OPENSSL_PATH)/crypto/rand/rand_lcl.h + $(OPENSSL_PATH)/crypto/rc4/rc4_locl.h + $(OPENSSL_PATH)/crypto/rsa/rsa_locl.h + $(OPENSSL_PATH)/crypto/sha/sha_locl.h $(OPENSSL_PATH)/crypto/siphash/siphash_local.h - $(OPENSSL_PATH)/crypto/aes/aes_locl.h - $(OPENSSL_PATH)/crypto/async/async_locl.h + $(OPENSSL_PATH)/crypto/sm3/sm3_locl.h + $(OPENSSL_PATH)/crypto/store/store_locl.h + $(OPENSSL_PATH)/crypto/ui/ui_locl.h + $(OPENSSL_PATH)/crypto/x509/x509_lcl.h $(OPENSSL_PATH)/crypto/x509v3/ext_dat.h $(OPENSSL_PATH)/crypto/x509v3/pcy_int.h $(OPENSSL_PATH)/crypto/x509v3/standard_exts.h $(OPENSSL_PATH)/crypto/x509v3/v3_admis.h - $(OPENSSL_PATH)/crypto/objects/obj_dat.h - $(OPENSSL_PATH)/crypto/objects/obj_lcl.h - $(OPENSSL_PATH)/crypto/objects/obj_xref.h $(OPENSSL_PATH)/ssl/bio_ssl.c $(OPENSSL_PATH)/ssl/d1_lib.c $(OPENSSL_PATH)/ssl/d1_msg.c @@ -589,13 +589,13 @@ $(OPENSSL_PATH)/ssl/t1_trce.c $(OPENSSL_PATH)/ssl/tls13_enc.c $(OPENSSL_PATH)/ssl/tls_srp.c - $(OPENSSL_PATH)/ssl/statem/statem.h - $(OPENSSL_PATH)/ssl/statem/statem_locl.h $(OPENSSL_PATH)/ssl/packet_locl.h $(OPENSSL_PATH)/ssl/ssl_cert_table.h $(OPENSSL_PATH)/ssl/ssl_locl.h $(OPENSSL_PATH)/ssl/record/record.h
[edk2-devel] [PATCH v3 0/2] CryptoPkg/OpensslLib: Remove "no-autoalginit" flag from OpenSSL build
In order to implement the EVP interface, the EVP_get_digestbyname function requires the desired digest to be already initialized. Removing the "no-autoalginit" build option will allow algorithms to be retrieved by name. I plan to submit a future patch with an EVP implementation; the OpenSSL documentation has stated that the EVP interface "should almost always be used" over direct digest interfaces at least as far back as version 0.9.6c. This patch set also adds the "sort" keyword to the header file parsing loop so the .inf files aren't randomized after every run of process_files.pl. Cc: Jian J Wang Cc: Xiaoyu Lu Christopher J Zurcher (2): CryptoPkg/OpensslLib: Add "sort" keyword to header file parsing loop CryptoPkg/OpensslLib: Remove "no-autoalginit" flag from OpenSSL build CryptoPkg/Library/OpensslLib/OpensslLib.inf | 66 ++-- CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf | 62 +- CryptoPkg/Library/Include/openssl/opensslconf.h | 3 - CryptoPkg/Library/OpensslLib/process_files.pl | 5 +- 4 files changed, 66 insertions(+), 70 deletions(-) -- 2.16.2.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#54394): https://edk2.groups.io/g/devel/message/54394 Mute This Topic: https://groups.io/mt/71257217/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v3] IntelSiliconPkg: FIT based shadow microcode PPI support.
Hi, Mike
Thanks for your comments, I will update patch accordingly and send a V4 for
this.
Best Regards
Siyuan
> -Original Message-
> From: Kinney, Michael D
> Sent: 2020年2月13日 8:58
> To: devel@edk2.groups.io; Fu, Siyuan ; Kinney, Michael
> D
> Cc: Ni, Ray ; Chaganty, Rangasai V
>
> Subject: RE: [edk2-devel] [PATCH v3] IntelSiliconPkg: FIT based shadow
> microcode PPI support.
>
> Siyuan,
>
> IntelSiliconPkg/Feature/ShadowMicrocode:
>
> For simple modules that only have a single .c file, there
> Is not need to split out a .h file. Please merge the .h
> File content into the .c file and delete the .h file.
>
> More comments inline below.
>
> Mike
>
> > -Original Message-
> > From: devel@edk2.groups.io On
> > Behalf Of Siyuan, Fu
> > Sent: Tuesday, February 11, 2020 4:48 PM
> > To: devel@edk2.groups.io
> > Cc: Ni, Ray ; Chaganty, Rangasai V
> >
> > Subject: [edk2-devel] [PATCH v3] IntelSiliconPkg: FIT
> > based shadow microcode PPI support.
> >
> > V3 Changes:
> > Remove the feature PCD PcdCpuShadowMicrocodeByFit
> > because the whole FIT microcode shadow code is moved to
> > this PEIM so platform could disable this feature by not
> > include PEIM now.
> >
> > V2 Changes:
> > Rename EDKII_PEI_CPU_MICROCODE_ID to
> > EDKII_PEI_MICROCODE_CPU_ID.
> >
> > This patch adds a platform PEIM for FIT based shadow
> > microcode PPI support. A detailed design doc can be
> > found here:
> > https://edk2.groups.io/g/devel/files/Designs/2020/0214/
> > Support%20
> > the%202nd%20Microcode%20FV%20Flash%20Region.pdf
> >
> > TEST: Tested on FIT enabled platform.
> > BZ:
> > https://tianocore.acgmultimedia.com/show_bug.cgi?id=244
> > 9
> >
> > Cc: Ray Ni
> > Cc: Rangasai V Chaganty
> > Signed-off-by: Siyuan Fu
> > ---
> > .../ShadowMicrocode/ShadowMicrocodePei.c | 387
> > ++
> > .../ShadowMicrocode/ShadowMicrocodePei.h | 62
> > +++
> > .../ShadowMicrocode/ShadowMicrocodePei.inf| 44 ++
> > .../Include/Guid/MicrocodeShadowInfoHob.h | 57
> > +++
> > .../Intel/IntelSiliconPkg/IntelSiliconPkg.dec | 6 +
> > .../Intel/IntelSiliconPkg/IntelSiliconPkg.dsc | 3 +-
> > 6 files changed, 558 insertions(+), 1 deletion(-)
> > create mode 100644
> > Silicon/Intel/IntelSiliconPkg/Feature/ShadowMicrocode/S
> > hadowMicrocodePei.c
> > create mode 100644
> > Silicon/Intel/IntelSiliconPkg/Feature/ShadowMicrocode/S
> > hadowMicrocodePei.h
> > create mode 100644
> > Silicon/Intel/IntelSiliconPkg/Feature/ShadowMicrocode/S
> > hadowMicrocodePei.inf
> > create mode 100644
> > Silicon/Intel/IntelSiliconPkg/Include/Guid/MicrocodeSha
> > dowInfoHob.h
> >
> > diff --git
> > a/Silicon/Intel/IntelSiliconPkg/Feature/ShadowMicrocode
> > /ShadowMicrocodePei.c
> > b/Silicon/Intel/IntelSiliconPkg/Feature/ShadowMicrocode
> > /ShadowMicrocodePei.c
> > new file mode 100644
> > index 00..c754524f41
> > --- /dev/null
> > +++
> > b/Silicon/Intel/IntelSiliconPkg/Feature/ShadowMicrocode
> > /ShadowMicroc
> > +++ odePei.c
> > @@ -0,0 +1,387 @@
> > +/** @file
> > + Source code file for Platform Init PEI module
>
> This description does not match the content
>
> > +
> > +Copyright (c) 2017 - 2019, Intel Corporation. All
> > rights reserved.
> > +SPDX-License-Identifier: BSD-2-Clause-Patent
> > +
> > +**/
> > +
> > +#include "ShadowMicrocodePei.h"
> > +
> > +EDKII_PEI_SHADOW_MICROCODE_PPI
> > mPeiShadowMicrocodePpi = {
> > + ShadowMicrocode
> > +};
> > +
> > +
> > +EFI_PEI_PPI_DESCRIPTOR
> > mPeiShadowMicrocodePpiList[] = {
> > + {
> > +EFI_PEI_PPI_DESCRIPTOR_PPI |
> > EFI_PEI_PPI_DESCRIPTOR_TERMINATE_LIST,
> > +,
> > +
> > + }
> > +};
> > +
> > +/**
> > + Determine if a microcode patch matchs the specific
> > processor signature and flag.
> > +
> > + @param[in] CpuIdCountNumber of elements
> > in MicrocodeCpuId array.
> > + @param[in] MicrocodeCpuIdA pointer to an
> > array of EDKII_PEI_MICROCODE_CPU_ID
> > +structures.
> > + @param[in] ProcessorSignatureThe processor
> > signature field value
> > +supported by a
> > microcode patch.
> > + @param[in] ProcessorFlagsThe prcessor flags
> > field value supported by
> > +a microcode patch.
> > +
> > + @retval TRUE The specified microcode patch will
> > be loaded.
> > + @retval FALSEThe specified microcode patch will
> > not be loaded.
> > +**/
> > +BOOLEAN
> > +IsProcessorMatchedMicrocodePatch (
> > + IN UINTN CpuIdCount,
> > + IN EDKII_PEI_MICROCODE_CPU_ID *MicrocodeCpuId,
> > + IN UINT32
> > ProcessorSignature,
> > + IN UINT32 ProcessorFlags
> > + )
> > +{
> > + UINTN Index;
> > +
> > + for (Index = 0; Index < CpuIdCount; Index++) {
> > +if ((ProcessorSignature ==
> > MicrocodeCpuId[Index].ProcessorSignature) &&
> > +(ProcessorFlags & (1 <<
> >
Re: [edk2-devel] [PATCH v3 2/2] MdePkg: Remove FIT table industry standard header file.
Reviewed-by: Michael D Kinney
Mike
> -Original Message-
> From: devel@edk2.groups.io On
> Behalf Of Siyuan, Fu
> Sent: Wednesday, February 12, 2020 5:57 PM
> To: devel@edk2.groups.io
> Cc: Kinney, Michael D ;
> Gao, Liming
> Subject: [edk2-devel] [PATCH v3 2/2] MdePkg: Remove FIT
> table industry standard header file.
>
> Commit c7c964b and dd01704 add header file for FIT
> table and update
> MpInitLib to support FIT based microcode shadow
> operation. There are
> comments that FIT is Intel specific specification
> instead of industry
> standard, which should not be placed in EDK2 MdePkg and
> UefiCpuPkg.
> This patch removes the header file added by c7c964b.
>
> Cc: Michael D Kinney
> Cc: Liming Gao
> Signed-off-by: Siyuan Fu
> ---
> .../IndustryStandard/FirmwareInterfaceTable.h | 76 ---
>
> 1 file changed, 76 deletions(-)
> delete mode 100644
> MdePkg/Include/IndustryStandard/FirmwareInterfaceTable.
> h
>
> diff --git
> a/MdePkg/Include/IndustryStandard/FirmwareInterfaceTabl
> e.h
> b/MdePkg/Include/IndustryStandard/FirmwareInterfaceTabl
> e.h
> deleted file mode 100644
> index be3e34ae1b..00
> ---
> a/MdePkg/Include/IndustryStandard/FirmwareInterfaceTabl
> e.h
> +++ /dev/null
> @@ -1,76 +0,0 @@
> -/** @file
> - Industry Standard Definitions of Firmware Interface
> Table BIOS Specification 1.0.
> -
> - Copyright (c) 2016 - 2020, Intel Corporation. All
> rights reserved.
> - SPDX-License-Identifier: BSD-2-Clause-Patent
> -
> -**/
> -
> -#ifndef __FIRMWARE_INTERFACE_TABLE_H__
> -#define __FIRMWARE_INTERFACE_TABLE_H__
> -
> -//
> -// FIT Entry type definitions
> -//
> -#define FIT_TYPE_00_HEADER 0x00
> -#define FIT_TYPE_01_MICROCODE 0x01
> -#define FIT_TYPE_02_STARTUP_ACM 0x02
> -#define FIT_TYPE_07_BIOS_STARTUP_MODULE 0x07
> -#define FIT_TYPE_08_TPM_POLICY 0x08
> -#define FIT_TYPE_09_BIOS_POLICY 0x09
> -#define FIT_TYPE_0A_TXT_POLICY 0x0A
> -#define FIT_TYPE_0B_KEY_MANIFEST0x0B
> -#define FIT_TYPE_0C_BOOT_POLICY_MANIFEST0x0C
> -#define FIT_TYPE_10_CSE_SECURE_BOOT 0x10
> -#define FIT_TYPE_2D_TXTSX_POLICY0x2D
> -#define FIT_TYPE_2F_JMP_DEBUG_POLICY0x2F
> -#define FIT_TYPE_7F_SKIP0x7F
> -
> -#define FIT_POINTER_ADDRESS 0xFFC0
> ///< Fixed address at 4G - 40h
> -
> -#define FIT_TYPE_VERSION0x0100
> -
> -#define FIT_TYPE_00_SIGNATURE SIGNATURE_64 ('_', 'F',
> 'I', 'T', '_', ' ', ' ', ' ')
> -
> -#pragma pack(1)
> -
> -typedef struct {
> - //
> - // Address is the base address of the firmware
> component
> - // must be aligned on 16 byte boundary
> - //
> - UINT64 Address;
> - //
> - // Size is the span of the component in multiple of
> 16 bytes
> - //
> - UINT8 Size[3];
> - //
> - // Reserved must be set to 0
> - //
> - UINT8 Reserved;
> - //
> - // Component's version number in binary coded
> decimal (BCD) format.
> - // For the FIT header entry, the value in this field
> will indicate the revision
> - // number of the FIT data structure. The upper byte
> of the revision field
> - // indicates the major revision and the lower byte
> indicates the minor revision.
> - //
> - UINT16 Version;
> - //
> - // FIT types 0x00 to 0x7F
> - //
> - UINT8 Type : 7;
> - //
> - // Checksum Valid indicates whether component has
> valid checksum.
> - //
> - UINT8 C_V : 1;
> - //
> - // Component's checksum. The modulo sum of all the
> bytes in the component and
> - // the value in this field (Chksum) must add up to
> zero. This field is only
> - // valid if the C_V flag is non-zero.
> - //
> - UINT8 Chksum;
> -} FIRMWARE_INTERFACE_TABLE_ENTRY;
> -
> -#pragma pack()
> -
> -#endif
> --
> 2.19.1.windows.1
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#54392): https://edk2.groups.io/g/devel/message/54392
Mute This Topic: https://groups.io/mt/71230473/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v3 1/2] UefiCpuPkg: Remove FIT based microcode shadow logic from MpInitLib.
Reviewed-by: Michael D Kinney
Mike
> -Original Message-
> From: devel@edk2.groups.io On
> Behalf Of Siyuan, Fu
> Sent: Wednesday, February 12, 2020 5:57 PM
> To: devel@edk2.groups.io
> Cc: Dong, Eric ; Ni, Ray
> ; Laszlo Ersek
> Subject: [edk2-devel] [PATCH v3 1/2] UefiCpuPkg: Remove
> FIT based microcode shadow logic from MpInitLib.
>
> V2 Changes:
> Rename EDKII_PEI_CPU_MICROCODE_ID to
> EDKII_PEI_MICROCODE_CPU_ID.
> Return EFI_UNSUPPORTED instead of EFI_NOT_FOUND if no
> platform
> microcode shadow PPI/Protocol is found.
> Remove PcdCpuShadowMicrocodeByFit related tokens from
> UefiCpuPkg.uni
> V3 Changes
> Add comments to DXE version PlatformShadowMicrocode().
>
> Commit c7c964b and dd01704 add header file for FIT
> table and update
> MpInitLib to support FIT based microcode shadow
> operation. There are
> comments that FIT is Intel specific specification
> instead of industry
> standard, which should not be placed in EDK2 MdePkg and
> UefiCpuPkg.
> So this patch adds a platform PPI for the microcode
> shadow logic, and
> remove the FIT related code from EDK2.
> The FIT based microcode shadow support will be
> implemented as a new
> platform PEIM in IntelSiliconPkg in edk2-platforms.
> This patch doesn't provide a DXE version shadow
> microcode protocol,
> a platform which only uses DxeMpInitLib instance only
> supports PCD
> based microcode shadowing.
>
> A detailed design doc can be found here:
> https://edk2.groups.io/g/devel/files/Designs/2020/0214/
> Support%20
> the%202nd%20Microcode%20FV%20Flash%20Region.pdf
>
> TEST: Tested on FIT enabled platform.
> BZ:
> https://tianocore.acgmultimedia.com/show_bug.cgi?id=244
> 9
>
> Cc: Eric Dong
> Cc: Ray Ni
> Cc: Laszlo Ersek
> Signed-off-by: Siyuan Fu
> ---
> UefiCpuPkg/Include/Ppi/ShadowMicrocode.h | 66
> +++
> UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf | 1 -
> UefiCpuPkg/Library/MpInitLib/DxeMpLib.c | 26
> -
> UefiCpuPkg/Library/MpInitLib/Microcode.c | 105 +-
>
> UefiCpuPkg/Library/MpInitLib/MpLib.h | 19
> +++-
> UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf | 4 +-
> UefiCpuPkg/Library/MpInitLib/PeiMpLib.c | 68
>
> UefiCpuPkg/UefiCpuPkg.dec | 11 +-
> UefiCpuPkg/UefiCpuPkg.uni | 6 -
> 9 files changed, 183 insertions(+), 123 deletions(-)
> create mode 100644
> UefiCpuPkg/Include/Ppi/ShadowMicrocode.h
>
> diff --git a/UefiCpuPkg/Include/Ppi/ShadowMicrocode.h
> b/UefiCpuPkg/Include/Ppi/ShadowMicrocode.h
> new file mode 100644
> index 00..be48965422
> --- /dev/null
> +++ b/UefiCpuPkg/Include/Ppi/ShadowMicrocode.h
> @@ -0,0 +1,66 @@
> +/** @file
> + This file declares EDKII Shadow Microcode PPI.
> +
> + Copyright (c) 2020, Intel Corporation. All rights
> reserved.
> + SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +
> +#ifndef __PPI_SHADOW_MICROCODE_H__
> +#define __PPI_SHADOW_MICROCODE_H__
> +
> +#define EDKII_PEI_SHADOW_MICROCODE_PPI_GUID \
> + { \
> +0x430f6965, 0x9a69, 0x41c5, { 0x93, 0xed, 0x8b,
> 0xf0, 0x64, 0x35, 0xc1, 0xc6 } \
> + }
> +
> +typedef struct _EDKII_PEI_SHADOW_MICROCODE_PPI
> EDKII_PEI_SHADOW_MICROCODE_PPI;
> +
> +typedef struct {
> + UINT32 ProcessorSignature;
> + UINT8 PlatformId;
> +} EDKII_PEI_MICROCODE_CPU_ID;
> +
> +/**
> + Shadow microcode update patches to memory.
> +
> + The function is used for shadowing microcode update
> patches to a continuous memory.
> + It shall allocate memory buffer and only shadow the
> microcode patches for those
> + processors specified by MicrocodeCpuId array. The
> checksum verification may be
> + skiped in this function so the caller must perform
> checksum verification before
> + using the microcode patches in returned memory
> buffer.
> +
> + @param[in] This The PPI instance
> pointer.
> + @param[in] CpuIdCount Number of elements
> in MicrocodeCpuId array.
> + @param[in] MicrocodeCpuId A pointer to an
> array of EDKII_PEI_MICROCODE_CPU_ID
> + structures.
> + @param[out] BufferSize Pointer to receive
> the total size of Buffer.
> + @param[out] Buffer Pointer to receive
> address of allocated memory
> + with microcode
> patches data in it.
> +
> + @retval EFI_SUCCESS The microcode has
> been shadowed to memory.
> + @retval EFI_OUT_OF_RESOURCES The operation fails
> due to lack of resources.
> +
> +**/
> +typedef
> +EFI_STATUS
> +(EFIAPI *EDKII_PEI_SHADOW_MICROCODE) (
> + IN EDKII_PEI_SHADOW_MICROCODE_PPI*This,
> + IN UINTN
> CpuIdCount,
> + IN EDKII_PEI_MICROCODE_CPU_ID
> *MicrocodeCpuId,
> + OUT UINTN
> *BufferSize,
> + OUT VOID **Buffer
> + );
> +
> +///
> +/// This PPI is installed by some platform or chipset-
> specific PEIM that
> +/// abstracts handling microcode shadow support.
> +///
Re: [edk2-devel] [PATCH 1/1] CryptoPkg/OpensslLib: Remove "no-autoalginit" flag from OpenSSL build
> -Original Message- > From: devel@edk2.groups.io On Behalf Of Laszlo Ersek > Sent: Thursday, February 13, 2020 15:29 > To: devel@edk2.groups.io; Zurcher, Christopher J > > Subject: Re: [edk2-devel] [PATCH 1/1] CryptoPkg/OpensslLib: Remove "no- > autoalginit" flag from OpenSSL build > > Hi Christopher, > > (1) Please CC the CryptoPkg maintainers on CryptoPkg patches. Thanks, I missed this originally and added them in v2. > > On 02/13/20 00:41, Zurcher, Christopher J wrote: > > This is required for interfaces such as EVP to retrieve algorithms > > by name. > > (2) Apologies, I don't understand this explanation. There don't seem to > be any users for whatever is being enabled in this patch in the edk2 > tree. Can you please elaborate? (Not just for me in this thread, but in > the commit message.) This is to prepare for a future commit that will implement an EVP interface. > > > > > This commit also adds the "sort" keyword to the header file parsing loop > > so the .inf files aren't randomized after every run of process_files.pl. > > (3) That's a great idea, but it should be split to a separate patch. I'd > suggest first introducing the sorted generation (without any change to > the set of files built). > > And then the effects of the "no-autoalginit" removal can be seen > clearly, without being hidden by the reordering. Will split in v3. Thanks, Christopher Zurcher > > > > --- > > CryptoPkg/Library/OpensslLib/OpensslLib.inf | 64 ++- > - > > CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf | 60 +- > > CryptoPkg/Library/Include/openssl/opensslconf.h | 3 - > > CryptoPkg/Library/OpensslLib/process_files.pl | 5 +- > > 4 files changed, 64 insertions(+), 68 deletions(-) > > > > diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf > b/CryptoPkg/Library/OpensslLib/OpensslLib.inf > > index 3fa52f5543..5caffdb71e 100644 > > --- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf > > +++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf > > @@ -494,57 +494,57 @@ > >$(OPENSSL_PATH)/crypto/x509v3/v3_tlsf.c > >$(OPENSSL_PATH)/crypto/x509v3/v3_utl.c > >$(OPENSSL_PATH)/crypto/x509v3/v3err.c > > - $(OPENSSL_PATH)/crypto/hmac/hmac_lcl.h > > - $(OPENSSL_PATH)/crypto/dh/dh_locl.h > > - $(OPENSSL_PATH)/crypto/bio/bio_lcl.h > > - $(OPENSSL_PATH)/crypto/conf/conf_def.h > > - $(OPENSSL_PATH)/crypto/conf/conf_lcl.h > > - $(OPENSSL_PATH)/crypto/lhash/lhash_lcl.h > > - $(OPENSSL_PATH)/crypto/sha/sha_locl.h > > - $(OPENSSL_PATH)/crypto/md5/md5_locl.h > > - $(OPENSSL_PATH)/crypto/store/store_locl.h > > - $(OPENSSL_PATH)/crypto/dso/dso_locl.h > > - $(OPENSSL_PATH)/crypto/pkcs12/p12_lcl.h > >$(OPENSSL_PATH)/crypto/arm_arch.h > >$(OPENSSL_PATH)/crypto/mips_arch.h > >$(OPENSSL_PATH)/crypto/ppc_arch.h > >$(OPENSSL_PATH)/crypto/s390x_arch.h > >$(OPENSSL_PATH)/crypto/sparc_arch.h > >$(OPENSSL_PATH)/crypto/vms_rms.h > > - $(OPENSSL_PATH)/crypto/bn/bn_lcl.h > > - $(OPENSSL_PATH)/crypto/bn/bn_prime.h > > - $(OPENSSL_PATH)/crypto/bn/rsaz_exp.h > > - $(OPENSSL_PATH)/crypto/ui/ui_locl.h > > - $(OPENSSL_PATH)/crypto/md4/md4_locl.h > > - $(OPENSSL_PATH)/crypto/rc4/rc4_locl.h > > + $(OPENSSL_PATH)/crypto/aes/aes_locl.h > >$(OPENSSL_PATH)/crypto/asn1/asn1_item_list.h > >$(OPENSSL_PATH)/crypto/asn1/asn1_locl.h > >$(OPENSSL_PATH)/crypto/asn1/charmap.h > >$(OPENSSL_PATH)/crypto/asn1/standard_methods.h > >$(OPENSSL_PATH)/crypto/asn1/tbl_standard.h > > - $(OPENSSL_PATH)/crypto/evp/evp_locl.h > > - $(OPENSSL_PATH)/crypto/rand/rand_lcl.h > > - $(OPENSSL_PATH)/crypto/ocsp/ocsp_lcl.h > > - $(OPENSSL_PATH)/crypto/modes/modes_lcl.h > > - $(OPENSSL_PATH)/crypto/comp/comp_lcl.h > > - $(OPENSSL_PATH)/crypto/rsa/rsa_locl.h > > - $(OPENSSL_PATH)/crypto/x509/x509_lcl.h > > + $(OPENSSL_PATH)/crypto/async/async_locl.h > >$(OPENSSL_PATH)/crypto/async/arch/async_null.h > >$(OPENSSL_PATH)/crypto/async/arch/async_posix.h > >$(OPENSSL_PATH)/crypto/async/arch/async_win.h > > - $(OPENSSL_PATH)/crypto/sm3/sm3_locl.h > > + $(OPENSSL_PATH)/crypto/bio/bio_lcl.h > > + $(OPENSSL_PATH)/crypto/bn/bn_lcl.h > > + $(OPENSSL_PATH)/crypto/bn/bn_prime.h > > + $(OPENSSL_PATH)/crypto/bn/rsaz_exp.h > > + $(OPENSSL_PATH)/crypto/comp/comp_lcl.h > > + $(OPENSSL_PATH)/crypto/conf/conf_def.h > > + $(OPENSSL_PATH)/crypto/conf/conf_lcl.h > >$(OPENSSL_PATH)/crypto/des/des_locl.h > >$(OPENSSL_PATH)/crypto/des/spr.h > > + $(OPENSSL_PATH)/crypto/dh/dh_locl.h > > + $(OPENSSL_PATH)/crypto/dso/dso_locl.h > > + $(OPENSSL_PATH)/crypto/evp/evp_locl.h > > + $(OPENSSL_PATH)/crypto/hmac/hmac_lcl.h > > + $(OPENSSL_PATH)/crypto/lhash/lhash_lcl.h > > + $(OPENSSL_PATH)/crypto/md4/md4_locl.h > > + $(OPENSSL_PATH)/crypto/md5/md5_locl.h > > + $(OPENSSL_PATH)/crypto/modes/modes_lcl.h > > + $(OPENSSL_PATH)/crypto/objects/obj_dat.h > > + $(OPENSSL_PATH)/crypto/objects/obj_lcl.h > > + $(OPENSSL_PATH)/crypto/objects/obj_xref.h > > +
Re: [edk2-devel] [PATCH 1/1] CryptoPkg/OpensslLib: Remove "no-autoalginit" flag from OpenSSL build
Hi Christopher, (1) Please CC the CryptoPkg maintainers on CryptoPkg patches. On 02/13/20 00:41, Zurcher, Christopher J wrote: > This is required for interfaces such as EVP to retrieve algorithms > by name. (2) Apologies, I don't understand this explanation. There don't seem to be any users for whatever is being enabled in this patch in the edk2 tree. Can you please elaborate? (Not just for me in this thread, but in the commit message.) > > This commit also adds the "sort" keyword to the header file parsing loop > so the .inf files aren't randomized after every run of process_files.pl. (3) That's a great idea, but it should be split to a separate patch. I'd suggest first introducing the sorted generation (without any change to the set of files built). And then the effects of the "no-autoalginit" removal can be seen clearly, without being hidden by the reordering. > --- > CryptoPkg/Library/OpensslLib/OpensslLib.inf | 64 ++-- > CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf | 60 +- > CryptoPkg/Library/Include/openssl/opensslconf.h | 3 - > CryptoPkg/Library/OpensslLib/process_files.pl | 5 +- > 4 files changed, 64 insertions(+), 68 deletions(-) > > diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf > b/CryptoPkg/Library/OpensslLib/OpensslLib.inf > index 3fa52f5543..5caffdb71e 100644 > --- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf > +++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf > @@ -494,57 +494,57 @@ >$(OPENSSL_PATH)/crypto/x509v3/v3_tlsf.c >$(OPENSSL_PATH)/crypto/x509v3/v3_utl.c >$(OPENSSL_PATH)/crypto/x509v3/v3err.c > - $(OPENSSL_PATH)/crypto/hmac/hmac_lcl.h > - $(OPENSSL_PATH)/crypto/dh/dh_locl.h > - $(OPENSSL_PATH)/crypto/bio/bio_lcl.h > - $(OPENSSL_PATH)/crypto/conf/conf_def.h > - $(OPENSSL_PATH)/crypto/conf/conf_lcl.h > - $(OPENSSL_PATH)/crypto/lhash/lhash_lcl.h > - $(OPENSSL_PATH)/crypto/sha/sha_locl.h > - $(OPENSSL_PATH)/crypto/md5/md5_locl.h > - $(OPENSSL_PATH)/crypto/store/store_locl.h > - $(OPENSSL_PATH)/crypto/dso/dso_locl.h > - $(OPENSSL_PATH)/crypto/pkcs12/p12_lcl.h >$(OPENSSL_PATH)/crypto/arm_arch.h >$(OPENSSL_PATH)/crypto/mips_arch.h >$(OPENSSL_PATH)/crypto/ppc_arch.h >$(OPENSSL_PATH)/crypto/s390x_arch.h >$(OPENSSL_PATH)/crypto/sparc_arch.h >$(OPENSSL_PATH)/crypto/vms_rms.h > - $(OPENSSL_PATH)/crypto/bn/bn_lcl.h > - $(OPENSSL_PATH)/crypto/bn/bn_prime.h > - $(OPENSSL_PATH)/crypto/bn/rsaz_exp.h > - $(OPENSSL_PATH)/crypto/ui/ui_locl.h > - $(OPENSSL_PATH)/crypto/md4/md4_locl.h > - $(OPENSSL_PATH)/crypto/rc4/rc4_locl.h > + $(OPENSSL_PATH)/crypto/aes/aes_locl.h >$(OPENSSL_PATH)/crypto/asn1/asn1_item_list.h >$(OPENSSL_PATH)/crypto/asn1/asn1_locl.h >$(OPENSSL_PATH)/crypto/asn1/charmap.h >$(OPENSSL_PATH)/crypto/asn1/standard_methods.h >$(OPENSSL_PATH)/crypto/asn1/tbl_standard.h > - $(OPENSSL_PATH)/crypto/evp/evp_locl.h > - $(OPENSSL_PATH)/crypto/rand/rand_lcl.h > - $(OPENSSL_PATH)/crypto/ocsp/ocsp_lcl.h > - $(OPENSSL_PATH)/crypto/modes/modes_lcl.h > - $(OPENSSL_PATH)/crypto/comp/comp_lcl.h > - $(OPENSSL_PATH)/crypto/rsa/rsa_locl.h > - $(OPENSSL_PATH)/crypto/x509/x509_lcl.h > + $(OPENSSL_PATH)/crypto/async/async_locl.h >$(OPENSSL_PATH)/crypto/async/arch/async_null.h >$(OPENSSL_PATH)/crypto/async/arch/async_posix.h >$(OPENSSL_PATH)/crypto/async/arch/async_win.h > - $(OPENSSL_PATH)/crypto/sm3/sm3_locl.h > + $(OPENSSL_PATH)/crypto/bio/bio_lcl.h > + $(OPENSSL_PATH)/crypto/bn/bn_lcl.h > + $(OPENSSL_PATH)/crypto/bn/bn_prime.h > + $(OPENSSL_PATH)/crypto/bn/rsaz_exp.h > + $(OPENSSL_PATH)/crypto/comp/comp_lcl.h > + $(OPENSSL_PATH)/crypto/conf/conf_def.h > + $(OPENSSL_PATH)/crypto/conf/conf_lcl.h >$(OPENSSL_PATH)/crypto/des/des_locl.h >$(OPENSSL_PATH)/crypto/des/spr.h > + $(OPENSSL_PATH)/crypto/dh/dh_locl.h > + $(OPENSSL_PATH)/crypto/dso/dso_locl.h > + $(OPENSSL_PATH)/crypto/evp/evp_locl.h > + $(OPENSSL_PATH)/crypto/hmac/hmac_lcl.h > + $(OPENSSL_PATH)/crypto/lhash/lhash_lcl.h > + $(OPENSSL_PATH)/crypto/md4/md4_locl.h > + $(OPENSSL_PATH)/crypto/md5/md5_locl.h > + $(OPENSSL_PATH)/crypto/modes/modes_lcl.h > + $(OPENSSL_PATH)/crypto/objects/obj_dat.h > + $(OPENSSL_PATH)/crypto/objects/obj_lcl.h > + $(OPENSSL_PATH)/crypto/objects/obj_xref.h > + $(OPENSSL_PATH)/crypto/ocsp/ocsp_lcl.h > + $(OPENSSL_PATH)/crypto/pkcs12/p12_lcl.h > + $(OPENSSL_PATH)/crypto/rand/rand_lcl.h > + $(OPENSSL_PATH)/crypto/rc4/rc4_locl.h > + $(OPENSSL_PATH)/crypto/rsa/rsa_locl.h > + $(OPENSSL_PATH)/crypto/sha/sha_locl.h >$(OPENSSL_PATH)/crypto/siphash/siphash_local.h > - $(OPENSSL_PATH)/crypto/aes/aes_locl.h > - $(OPENSSL_PATH)/crypto/async/async_locl.h > + $(OPENSSL_PATH)/crypto/sm3/sm3_locl.h > + $(OPENSSL_PATH)/crypto/store/store_locl.h > + $(OPENSSL_PATH)/crypto/ui/ui_locl.h > + $(OPENSSL_PATH)/crypto/x509/x509_lcl.h >$(OPENSSL_PATH)/crypto/x509v3/ext_dat.h >$(OPENSSL_PATH)/crypto/x509v3/pcy_int.h >
Re: [edk2-devel] [RFC PATCH 1/1] OvmfPkg: add 'initrd' shell command to expose Linux initrd via device path
On 02/12/20 15:21, Ni, Ray wrote:
>> (3) However: I think this should be added as a Dynamic Command instead.
>> I'm basing this on the message of commit 0961002352e9 ("ShellPkg/tftp:
>> Convert from NULL class library to Dynamic Command", 2017-11-28), which
>> is the first commit in edk2 ever to introduce a Dynamic Command.
>>
>> And the commit message there says:
>>
>> The guideline is:
>> 1. Only use NULL class library for Shell spec defined commands.
>> 2. New commands can be provided as not only a standalone application
>>but also a dynamic command. So it can be used either as an
>>internal command, but also as a standalone application.
>>
>> I'm not asking for the command to be usable as a separate application,
>> but I think we might want to follow the first guideline.
>>
>> (I've checked the UEFI Shell 2.2 spec. While it talks about dynamic
>> commands, it does not seem to spell out guideline#1. So I think it's
>> rather an edk2-specific guideline than a standard one. Nonetheless we
>> might want to adhere to it.)
>
> Laszlo, thanks for the comments.
> I didn't remember that I said these guideline publicly.
> The reason behind that is we can have the same shell binary everywhere
> and new non-spec commands can be added through dynamic command without
> impacting the shell binary.
Thanks for the explanation -- this means that the NULL class lib
approach is good for OvmfPkg after all. I'm putting the remaining parts
of this patch back on my review queue (it will take a while).
Thanks
Laszlo
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#54388): https://edk2.groups.io/g/devel/message/54388
Mute This Topic: https://groups.io/mt/71177416/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v2 0/3] UefiCpuPkg/CpuFeature: Introduce First to indicate 1st unit.
Hi Ray, On 02/13/20 15:15, Ni, Ray wrote: > Laszlo, > I forgot to add you to CC list. > Do you have any comments on the patch set? Thanks for the ping -- no comments for now; please go ahead. I'm super swamped with todos and OVMF doesn't use RegisterCpuFeaturesLib or CpuCommonFeaturesLib, so I prefer to skip this set now. Thanks Laszlo > > Thanks, > Ray > >> -Original Message- >> From: Dong, Eric >> Sent: Thursday, February 13, 2020 4:04 PM >> To: devel@edk2.groups.io; Ni, Ray >> Subject: RE: [edk2-devel] [PATCH v2 0/3] UefiCpuPkg/CpuFeature: Introduce >> First to indicate 1st unit. >> >> For the serial: Reviewed-by: Eric Dong >> >> -Original Message- >> From: devel@edk2.groups.io On Behalf Of Ray Ni >> Sent: Tuesday, November 26, 2019 2:16 PM >> To: devel@edk2.groups.io >> Subject: [edk2-devel] [PATCH v2 0/3] UefiCpuPkg/CpuFeature: Introduce First >> to indicate 1st unit. >> >> Ray Ni (3): >> UefiCpuPkg/RegisterCpuFeaturesLib: Delete CPU_FEATURE_[BEFORE|AFTER] >> UefiCpuPkg/RegisterCpuFeaturesLib: Rename [Before|After]FeatureBitMask >> UefiCpuPkg/CpuFeature: Introduce First to indicate 1st unit. >> >> .../Include/Library/RegisterCpuFeaturesLib.h | 49 +--- >> .../CpuCommonFeaturesLib.c| 6 +- >> .../CpuFeaturesInitialize.c | 74 +++ >> .../RegisterCpuFeatures.h | 4 +- >> .../RegisterCpuFeaturesLib.c | 74 ++- >> 5 files changed, 158 insertions(+), 49 deletions(-) >> >> -- >> 2.21.0.windows.1 >> >> >> > -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#54387): https://edk2.groups.io/g/devel/message/54387 Mute This Topic: https://groups.io/mt/61962263/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [edk2-platforms] Building a platform: which edk2 revision to choose?
I'm trying to build one of the board packages from the edk2-platform repository. (I'm building WhiskeylakeOpenBoardPkg, but I suspect the problem exists for most of the board packages). The build process fails (I'm using build instructions from https://github.com/tianocore/edk2-platforms/tree/master/Platform/Intel). I suspect this is happening because tip of the board package is not compatible with tip of the edk2 repo. Is there a defined way for me to figure out the latest working revisions of the edk2 repo (or the other 2 repos that are part of the project) that I should use? Thanks Felix Please consider the environment before printing this email. The information contained in this message may be confidential and proprietary to American Megatrends (AMI). This communication is intended to be read only by the individual or entity to whom it is addressed or by their designee. If the reader of this message is not the intended recipient, you are on notice that any distribution of this message, in any form, is strictly prohibited. Please promptly notify the sender by reply e-mail or by telephone at 770-246-8600, and then delete or destroy all copies of the transmission. -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#54386): https://edk2.groups.io/g/devel/message/54386 Mute This Topic: https://groups.io/mt/71255367/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v2 1/1] CryptoPkg/OpensslLib: Remove "no-autoalginit" flag from OpenSSL build
> -Original Message- > From: Wang, Jian J > Sent: Thursday, February 13, 2020 07:19 > To: Zurcher, Christopher J ; > devel@edk2.groups.io > Cc: Lu, XiaoyuX > Subject: RE: [PATCH v2 1/1] CryptoPkg/OpensslLib: Remove "no-autoalginit" > flag from OpenSSL build > > Thanks for the patch. Two comments below. > > > > -Original Message- > > From: Zurcher, Christopher J > > Sent: Thursday, February 13, 2020 11:34 AM > > To: devel@edk2.groups.io > > Cc: Wang, Jian J ; Lu, XiaoyuX > > > Subject: [PATCH v2 1/1] CryptoPkg/OpensslLib: Remove "no-autoalginit" > flag > > from OpenSSL build > > > > This is required for interfaces such as EVP to retrieve algorithms > > by name. > > > > This commit also adds the "sort" keyword to the header file parsing loop > > so the .inf files aren't randomized after every run of process_files.pl. > > > > Cc: Jian J Wang > > Cc: Xiaoyu Lu > > Signed-off-by: Christopher J Zurcher > > --- > > CryptoPkg/Library/OpensslLib/OpensslLib.inf | 64 ++-- > > CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf | 60 +--- > -- > > CryptoPkg/Library/Include/openssl/opensslconf.h | 3 - > > CryptoPkg/Library/OpensslLib/process_files.pl | 5 +- > > 4 files changed, 64 insertions(+), 68 deletions(-) > > > > diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf > > b/CryptoPkg/Library/OpensslLib/OpensslLib.inf > > index 3fa52f5543..5caffdb71e 100644 > > --- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf > > +++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf > > @@ -494,57 +494,57 @@ > >$(OPENSSL_PATH)/crypto/x509v3/v3_tlsf.c > >$(OPENSSL_PATH)/crypto/x509v3/v3_utl.c > >$(OPENSSL_PATH)/crypto/x509v3/v3err.c > > - $(OPENSSL_PATH)/crypto/hmac/hmac_lcl.h > > - $(OPENSSL_PATH)/crypto/dh/dh_locl.h > > - $(OPENSSL_PATH)/crypto/bio/bio_lcl.h > > - $(OPENSSL_PATH)/crypto/conf/conf_def.h > > - $(OPENSSL_PATH)/crypto/conf/conf_lcl.h > > - $(OPENSSL_PATH)/crypto/lhash/lhash_lcl.h > > - $(OPENSSL_PATH)/crypto/sha/sha_locl.h > > - $(OPENSSL_PATH)/crypto/md5/md5_locl.h > > - $(OPENSSL_PATH)/crypto/store/store_locl.h > > - $(OPENSSL_PATH)/crypto/dso/dso_locl.h > > - $(OPENSSL_PATH)/crypto/pkcs12/p12_lcl.h > >$(OPENSSL_PATH)/crypto/arm_arch.h > >$(OPENSSL_PATH)/crypto/mips_arch.h > >$(OPENSSL_PATH)/crypto/ppc_arch.h > >$(OPENSSL_PATH)/crypto/s390x_arch.h > >$(OPENSSL_PATH)/crypto/sparc_arch.h > >$(OPENSSL_PATH)/crypto/vms_rms.h > > - $(OPENSSL_PATH)/crypto/bn/bn_lcl.h > > - $(OPENSSL_PATH)/crypto/bn/bn_prime.h > > - $(OPENSSL_PATH)/crypto/bn/rsaz_exp.h > > - $(OPENSSL_PATH)/crypto/ui/ui_locl.h > > - $(OPENSSL_PATH)/crypto/md4/md4_locl.h > > - $(OPENSSL_PATH)/crypto/rc4/rc4_locl.h > > + $(OPENSSL_PATH)/crypto/aes/aes_locl.h > >$(OPENSSL_PATH)/crypto/asn1/asn1_item_list.h > >$(OPENSSL_PATH)/crypto/asn1/asn1_locl.h > >$(OPENSSL_PATH)/crypto/asn1/charmap.h > >$(OPENSSL_PATH)/crypto/asn1/standard_methods.h > >$(OPENSSL_PATH)/crypto/asn1/tbl_standard.h > > - $(OPENSSL_PATH)/crypto/evp/evp_locl.h > > - $(OPENSSL_PATH)/crypto/rand/rand_lcl.h > > - $(OPENSSL_PATH)/crypto/ocsp/ocsp_lcl.h > > - $(OPENSSL_PATH)/crypto/modes/modes_lcl.h > > - $(OPENSSL_PATH)/crypto/comp/comp_lcl.h > > - $(OPENSSL_PATH)/crypto/rsa/rsa_locl.h > > - $(OPENSSL_PATH)/crypto/x509/x509_lcl.h > > + $(OPENSSL_PATH)/crypto/async/async_locl.h > >$(OPENSSL_PATH)/crypto/async/arch/async_null.h > >$(OPENSSL_PATH)/crypto/async/arch/async_posix.h > >$(OPENSSL_PATH)/crypto/async/arch/async_win.h > > - $(OPENSSL_PATH)/crypto/sm3/sm3_locl.h > > + $(OPENSSL_PATH)/crypto/bio/bio_lcl.h > > + $(OPENSSL_PATH)/crypto/bn/bn_lcl.h > > + $(OPENSSL_PATH)/crypto/bn/bn_prime.h > > + $(OPENSSL_PATH)/crypto/bn/rsaz_exp.h > > + $(OPENSSL_PATH)/crypto/comp/comp_lcl.h > > + $(OPENSSL_PATH)/crypto/conf/conf_def.h > > + $(OPENSSL_PATH)/crypto/conf/conf_lcl.h > >$(OPENSSL_PATH)/crypto/des/des_locl.h > >$(OPENSSL_PATH)/crypto/des/spr.h > > + $(OPENSSL_PATH)/crypto/dh/dh_locl.h > > + $(OPENSSL_PATH)/crypto/dso/dso_locl.h > > + $(OPENSSL_PATH)/crypto/evp/evp_locl.h > > + $(OPENSSL_PATH)/crypto/hmac/hmac_lcl.h > > + $(OPENSSL_PATH)/crypto/lhash/lhash_lcl.h > > + $(OPENSSL_PATH)/crypto/md4/md4_locl.h > > + $(OPENSSL_PATH)/crypto/md5/md5_locl.h > > + $(OPENSSL_PATH)/crypto/modes/modes_lcl.h > > + $(OPENSSL_PATH)/crypto/objects/obj_dat.h > > + $(OPENSSL_PATH)/crypto/objects/obj_lcl.h > > + $(OPENSSL_PATH)/crypto/objects/obj_xref.h > > + $(OPENSSL_PATH)/crypto/ocsp/ocsp_lcl.h > > + $(OPENSSL_PATH)/crypto/pkcs12/p12_lcl.h > > + $(OPENSSL_PATH)/crypto/rand/rand_lcl.h > > + $(OPENSSL_PATH)/crypto/rc4/rc4_locl.h > > + $(OPENSSL_PATH)/crypto/rsa/rsa_locl.h > > + $(OPENSSL_PATH)/crypto/sha/sha_locl.h > >$(OPENSSL_PATH)/crypto/siphash/siphash_local.h > > - $(OPENSSL_PATH)/crypto/aes/aes_locl.h > > - $(OPENSSL_PATH)/crypto/async/async_locl.h > > + $(OPENSSL_PATH)/crypto/sm3/sm3_locl.h > > +
Re: [edk2-devel] [RFC PATCH 1/1] MdeModulePkg/PiDxeS3BootScriptLib: Use SafeIntLib to avoid truncation
On 2/13/20 7:29 PM, Philippe Mathieu-Daude wrote:
Math expressions written in terms of SafeIntLib function calls
are easily readable, making review trivial. Convert the truncation
checks added by commit 322ac05f8 to SafeIntLib calls.
Cc: Jian J Wang
Cc: Hao A Wu
Cc: Eric Dong
Suggested-by: Laszlo Ersek
Signed-off-by: Philippe Mathieu-Daude
---
.../DxeS3BootScriptLib.inf| 1 +
.../InternalBootScriptLib.h | 1 +
.../PiDxeS3BootScriptLib/BootScriptSave.c | 114 +++---
3 files changed, 73 insertions(+), 43 deletions(-)
diff --git a/MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScriptLib.inf
b/MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScriptLib.inf
index 2b894c99da55..698039fe8e69 100644
--- a/MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScriptLib.inf
+++ b/MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScriptLib.inf
@@ -40,15 +40,16 @@ [Packages]
[LibraryClasses]
UefiBootServicesTableLib
BaseLib
BaseMemoryLib
TimerLib
DebugLib
PcdLib
UefiLib
SmbusLib
PciSegmentLib
IoLib
LockBoxLib
+ SafeIntLib
[Protocols]
gEfiSmmBase2ProtocolGuid ## SOMETIMES_CONSUMES
diff --git a/MdeModulePkg/Library/PiDxeS3BootScriptLib/InternalBootScriptLib.h
b/MdeModulePkg/Library/PiDxeS3BootScriptLib/InternalBootScriptLib.h
index 9485994087d0..7513220c15ac 100644
--- a/MdeModulePkg/Library/PiDxeS3BootScriptLib/InternalBootScriptLib.h
+++ b/MdeModulePkg/Library/PiDxeS3BootScriptLib/InternalBootScriptLib.h
@@ -1,49 +1,50 @@
/** @file
Support for S3 boot script lib. This file defined some internal macro and
internal
data structure
Copyright (c) 2006 - 2016, Intel Corporation. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#ifndef __INTERNAL_BOOT_SCRIPT_LIB__
#define __INTERNAL_BOOT_SCRIPT_LIB__
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
+#include
#include "BootScriptInternalFormat.h"
#define MAX_IO_ADDRESS 0x
//
// Macro to convert a UEFI PCI address + segment to a PCI Segment Library PCI
address
//
#define PCI_ADDRESS_ENCODE(S, A) PCI_SEGMENT_LIB_ADDRESS( \
S, \
UINTN)(A)) & 0xff00) >> 24), \
UINTN)(A)) & 0x00ff) >> 16), \
UINTN)(A)) & 0xff00) >> 8), \
((RShiftU64 ((A), 32) & 0xfff) | ((A) &
0xff)) \
)
diff --git a/MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c
b/MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c
index 9315fc9f0188..d229263638fc 100644
--- a/MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c
+++ b/MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c
@@ -995,55 +995,60 @@ EFIAPI
S3BootScriptSaveIoWrite (
IN S3_BOOT_SCRIPT_LIB_WIDTH Width,
IN UINT64Address,
IN UINTN Count,
IN VOID *Buffer
)
{
+ EFI_STATUSStatus;
UINT8 Length;
UINT8*Script;
UINT8 WidthInByte;
EFI_BOOT_SCRIPT_IO_WRITE ScriptIoWrite;
- WidthInByte = (UINT8) (0x01 << (Width & 0x03));
+ Status = SafeUintnToUint8 (Count, );
+ if (EFI_ERROR (Status)) {
+return RETURN_OUT_OF_RESOURCES;
+ }
+
+ Status = SafeUint8Mult (Length, 0x01 << (Width & 0x03), );
+ if (EFI_ERROR (Status)) {
+return RETURN_OUT_OF_RESOURCES;
+ }
- //
- // Truncation check
- //
- if ((Count > MAX_UINT8) ||
- (WidthInByte * Count > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_IO_WRITE))) {
+ Status = SafeUint8Add (Length, sizeof (EFI_BOOT_SCRIPT_IO_WRITE), );
+ if (EFI_ERROR (Status)) {
return RETURN_OUT_OF_RESOURCES;
}
- Length = (UINT8)(sizeof (EFI_BOOT_SCRIPT_IO_WRITE) + (WidthInByte * Count));
Script = S3BootScriptGetEntryAddAddress (Length);
if (Script == NULL) {
return RETURN_OUT_OF_RESOURCES;
}
//
// save script data
//
ScriptIoWrite.OpCode = EFI_BOOT_SCRIPT_IO_WRITE_OPCODE;
ScriptIoWrite.Length = Length;
ScriptIoWrite.Width = Width;
ScriptIoWrite.Address = Address;
ScriptIoWrite.Count = (UINT32) Count;
CopyMem ((VOID*)Script, (VOID*),
sizeof(EFI_BOOT_SCRIPT_IO_WRITE));
CopyMem ((VOID*)(Script + sizeof (EFI_BOOT_SCRIPT_IO_WRITE)), Buffer,
WidthInByte * Count);
SyncBootScript (Script);
return RETURN_SUCCESS;
}
Oops wrong version (WidthInByte is uninitialized).
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages
[edk2-devel] [RFC PATCH 0/1] MdeModulePkg/PiDxeS3BootScriptLib: Use SafeIntLib to avoid truncation
Commit 322ac05f8bbc added truncation checks to fix CVE-2019-14563. I found the 'a * b > d - c' reverse notation not obvious to review, and suggested to write 'a * b + c > d'. Laszlo explained me this is the EDK2 standard pattern to check against each overflow, but pointed out the SafeIntLib which have pretty readable calls. This is my try at using it. Regards, Phil. Cc: Jian J Wang Cc: Hao A Wu Cc: Eric Dong Cc: Laszlo Ersek Philippe Mathieu-Daudé (1): MdeModulePkg/PiDxeS3BootScriptLib: Use SafeIntLib to avoid truncation .../DxeS3BootScriptLib.inf| 1 + .../InternalBootScriptLib.h | 1 + .../PiDxeS3BootScriptLib/BootScriptSave.c | 114 +++--- 3 files changed, 73 insertions(+), 43 deletions(-) -- 2.21.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#54382): https://edk2.groups.io/g/devel/message/54382 Mute This Topic: https://groups.io/mt/71248585/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [RFC PATCH 1/1] MdeModulePkg/PiDxeS3BootScriptLib: Use SafeIntLib to avoid truncation
Math expressions written in terms of SafeIntLib function calls
are easily readable, making review trivial. Convert the truncation
checks added by commit 322ac05f8 to SafeIntLib calls.
Cc: Jian J Wang
Cc: Hao A Wu
Cc: Eric Dong
Suggested-by: Laszlo Ersek
Signed-off-by: Philippe Mathieu-Daude
---
.../DxeS3BootScriptLib.inf| 1 +
.../InternalBootScriptLib.h | 1 +
.../PiDxeS3BootScriptLib/BootScriptSave.c | 114 +++---
3 files changed, 73 insertions(+), 43 deletions(-)
diff --git a/MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScriptLib.inf
b/MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScriptLib.inf
index 2b894c99da55..698039fe8e69 100644
--- a/MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScriptLib.inf
+++ b/MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScriptLib.inf
@@ -40,15 +40,16 @@ [Packages]
[LibraryClasses]
UefiBootServicesTableLib
BaseLib
BaseMemoryLib
TimerLib
DebugLib
PcdLib
UefiLib
SmbusLib
PciSegmentLib
IoLib
LockBoxLib
+ SafeIntLib
[Protocols]
gEfiSmmBase2ProtocolGuid ## SOMETIMES_CONSUMES
diff --git a/MdeModulePkg/Library/PiDxeS3BootScriptLib/InternalBootScriptLib.h
b/MdeModulePkg/Library/PiDxeS3BootScriptLib/InternalBootScriptLib.h
index 9485994087d0..7513220c15ac 100644
--- a/MdeModulePkg/Library/PiDxeS3BootScriptLib/InternalBootScriptLib.h
+++ b/MdeModulePkg/Library/PiDxeS3BootScriptLib/InternalBootScriptLib.h
@@ -1,49 +1,50 @@
/** @file
Support for S3 boot script lib. This file defined some internal macro and
internal
data structure
Copyright (c) 2006 - 2016, Intel Corporation. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#ifndef __INTERNAL_BOOT_SCRIPT_LIB__
#define __INTERNAL_BOOT_SCRIPT_LIB__
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
+#include
#include "BootScriptInternalFormat.h"
#define MAX_IO_ADDRESS 0x
//
// Macro to convert a UEFI PCI address + segment to a PCI Segment Library PCI
address
//
#define PCI_ADDRESS_ENCODE(S, A) PCI_SEGMENT_LIB_ADDRESS( \
S, \
UINTN)(A)) & 0xff00) >> 24), \
UINTN)(A)) & 0x00ff) >> 16), \
UINTN)(A)) & 0xff00) >> 8), \
((RShiftU64 ((A), 32) & 0xfff) | ((A) &
0xff)) \
)
diff --git a/MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c
b/MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c
index 9315fc9f0188..d229263638fc 100644
--- a/MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c
+++ b/MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c
@@ -995,55 +995,60 @@ EFIAPI
S3BootScriptSaveIoWrite (
IN S3_BOOT_SCRIPT_LIB_WIDTH Width,
IN UINT64Address,
IN UINTN Count,
IN VOID *Buffer
)
{
+ EFI_STATUSStatus;
UINT8 Length;
UINT8*Script;
UINT8 WidthInByte;
EFI_BOOT_SCRIPT_IO_WRITE ScriptIoWrite;
- WidthInByte = (UINT8) (0x01 << (Width & 0x03));
+ Status = SafeUintnToUint8 (Count, );
+ if (EFI_ERROR (Status)) {
+return RETURN_OUT_OF_RESOURCES;
+ }
+
+ Status = SafeUint8Mult (Length, 0x01 << (Width & 0x03), );
+ if (EFI_ERROR (Status)) {
+return RETURN_OUT_OF_RESOURCES;
+ }
- //
- // Truncation check
- //
- if ((Count > MAX_UINT8) ||
- (WidthInByte * Count > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_IO_WRITE))) {
+ Status = SafeUint8Add (Length, sizeof (EFI_BOOT_SCRIPT_IO_WRITE), );
+ if (EFI_ERROR (Status)) {
return RETURN_OUT_OF_RESOURCES;
}
- Length = (UINT8)(sizeof (EFI_BOOT_SCRIPT_IO_WRITE) + (WidthInByte * Count));
Script = S3BootScriptGetEntryAddAddress (Length);
if (Script == NULL) {
return RETURN_OUT_OF_RESOURCES;
}
//
// save script data
//
ScriptIoWrite.OpCode = EFI_BOOT_SCRIPT_IO_WRITE_OPCODE;
ScriptIoWrite.Length = Length;
ScriptIoWrite.Width = Width;
ScriptIoWrite.Address = Address;
ScriptIoWrite.Count = (UINT32) Count;
CopyMem ((VOID*)Script, (VOID*),
sizeof(EFI_BOOT_SCRIPT_IO_WRITE));
CopyMem ((VOID*)(Script + sizeof (EFI_BOOT_SCRIPT_IO_WRITE)), Buffer,
WidthInByte * Count);
SyncBootScript (Script);
return RETURN_SUCCESS;
}
/**
Adds a record for an I/O modify operation into a S3 boot script table
@param Width The width of the I/O operations.Enumerated in
S3_BOOT_SCRIPT_LIB_WIDTH.
@param Address The base address of the I/O operations.
@param DataA pointer to the data to be OR-ed.
Re: [edk2-devel] [edk2-platforms] [PATCH 4/4] WhiskeylakeOpenBoardPkg/UpXtreme: Add DSC and build files
Thanks Chasel, I have updated the readme.md in my v2 patch set and the BZ with the current status Prince -Original Message- From: Chiu, Chasel Sent: Thursday, February 13, 2020 12:22 AM To: Agyeman, Prince ; devel@edk2.groups.io Cc: Desimone, Nathaniel L Subject: RE: [edk2-platforms] [PATCH 4/4] WhiskeylakeOpenBoardPkg/UpXtreme: Add DSC and build files Hi Prince, Please see my comments inline. Thanks, Chasel > -Original Message- > From: Agyeman, Prince > Sent: Thursday, February 13, 2020 9:38 AM > To: devel@edk2.groups.io > Cc: Chiu, Chasel ; Desimone, Nathaniel L > > Subject: [edk2-platforms] [PATCH 4/4] WhiskeylakeOpenBoardPkg/UpXtreme: > Add DSC and build files > > REF:https://bugzilla.tianocore.org/show_bug.cgi?id=2191 > > Adds the DSC and build files necessary to build the > UpXtreme board instance. > > Key files > = > * build_config.cfg - Board-specific build configuration file. > * OpenBoardPkg.dsc - The UpXtreme board description file. > * OpenBoardPkgPcd.dsc - Used for other PCD customization. > * OpenBoardPkg.fdf - The UpXtreme board flash file. > * OpenBoardPkgBuildOption.dsc - Sets build options Based > on PCD values. > > Co-authored-by: Michael Kubacki > Cc: Chasel Chiu > Cc: Nate DeSimone > Signed-off-by: Prince Agyeman > --- > Platform/Intel/Readme.md | 12 + > .../UpXtreme/OpenBoardPkg.dsc | 448 +++ > .../UpXtreme/OpenBoardPkg.fdf | 708 > ++ > .../UpXtreme/OpenBoardPkgBuildOption.dsc | 154 > .../UpXtreme/OpenBoardPkgPcd.dsc | 409 ++ > .../UpXtreme/build_config.cfg | 35 + > Platform/Intel/build.cfg | 1 + > 7 files changed, 1767 insertions(+) > create mode 100644 > Platform/Intel/WhiskeylakeOpenBoardPkg/UpXtreme/OpenBoardPkg.dsc > create mode 100644 > Platform/Intel/WhiskeylakeOpenBoardPkg/UpXtreme/OpenBoardPkg.fdf > create mode 100644 > Platform/Intel/WhiskeylakeOpenBoardPkg/UpXtreme/OpenBoardPkgBuildOpt > ion.dsc > create mode 100644 > Platform/Intel/WhiskeylakeOpenBoardPkg/UpXtreme/OpenBoardPkgPcd.dsc > create mode 100644 > Platform/Intel/WhiskeylakeOpenBoardPkg/UpXtreme/build_config.cfg > > diff --git a/Platform/Intel/Readme.md b/Platform/Intel/Readme.md > index 02d9517d19..81092633f7 100644 > --- a/Platform/Intel/Readme.md > +++ b/Platform/Intel/Readme.md > @@ -59,6 +59,12 @@ A UEFI firmware implementation using MinPlatformPkg > is constructed using the fol > > ### **Supported Hardware** > > + AAEON > + > +| Machine Name | Supported Chipsets > | BoardPkg | Board Name | > +|| > --|| > +| UP Xtreme | Whiskey Lake > | WhiskeylakeOpenBoardPkg | UpXtreme | > + > Intel > > ***Intel Reference and Validation Platform*** > @@ -233,6 +239,9 @@ return back to the minimum platform caller. >| || > build settings, environment variables. >| || >| ||--WhiskeylakeOpenBoardPkg > + | || |--UpXtreme > + | || |---build_config.cfg: > UpXtreme specific build > + | || > settings environment variables. >| || |--WhiskeylakeURvp >| || |---build_config.cfg: > WhiskeylakeURvp specific build >| || > settings environment variables. > @@ -256,6 +265,9 @@ return back to the minimum platform caller. > **WhiskeylakeOpenBoardPkg** > 1. This firmware project has only been tested booting to Microsoft Windows > 10 x64 with AHCI mode and Integrated Graphic > Device. > +2. UP Xtreme boards might hang during Windows 10 boot. > +3. Not all UP Xtreme boards are supported at this time, only the XXX model Basing on BZ, this XXX should be "SK Hynix memory", would you double check? > has been tested. Board-specific memory > + settings are needed to enable other models. > > ### **Package Builds** > > diff --git > a/Platform/Intel/WhiskeylakeOpenBoardPkg/UpXtreme/OpenBoardPkg.dsc > b/Platform/Intel/WhiskeylakeOpenBoardPkg/UpXtreme/OpenBoardPkg.dsc > new file mode 100644 > index 00..2ab9cb03ea > --- /dev/null > +++ > b/Platform/Intel/WhiskeylakeOpenBoardPkg/UpXtreme/OpenBoardPkg.dsc > @@ -0,0 +1,448 @@ > +## @file > +# The main build description file for the UpXtreme board. > +# > +# Copyright (c) 2020, Intel Corporation. All rights reserved. > +# > +# SPDX-License-Identifier: BSD-2-Clause-Patent > +# > +## > + > +[Defines] > + DEFINE PLATFORM_PACKAGE = MinPlatformPkg > + DEFINE PLATFORM_SI_PACKAGE = CoffeelakeSiliconPkg > + DEFINE PLATFORM_SI_BIN_PACKAGE =
[edk2-devel] [edk2-platforms] [PATCH v2 0/4] Add Initial Support for UP Xtreme
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2191 This patch series add the initial Up Xtreme board support to the WhiskeylakeOpenBoardPkg V2 Changes: - Updated Readme.md to reflect the Current Status Current Status: 1. Basic boot to windows 10 (Home) and Ubuntu 18.04 from NVMe * UpXtreme: - Intel(R) Core(TM) i3-8145UE CPU @ 2.20GHz - Intel(R) Core(TM) i7-8565U CPU @ 1.80GHz 2. UpXtreme Intel(R) Celeron(R) CPU 4305UE @ 2.00GHz hangs during memory training 3. USB mass storage devices not detected in UEFI shell Prince Agyeman (4): WhiskeylakeOpenBoardPkg/WhiskeylakeURvp: Remove BoardFuncInit WhiskeylakeOpenBoardPkg: Add UpXtreme board ID WhiskeylakeOpenBoardPkg/UpXtreme: Add Includes and Libraries WhiskeylakeOpenBoardPkg/UpXtreme: Add DSC and build files Platform/Intel/Readme.md | 19 +- .../Include/PlatformBoardId.h |5 +- .../PeiFspMiscUpdUpdateLib.c | 110 + .../PeiFspPolicyUpdateLib.c | 126 + .../PeiMiscPolicyUpdate.h | 25 + .../PeiPchPolicyUpdate.c | 300 ++ .../PeiPchPolicyUpdate.h | 28 + .../PeiPchPolicyUpdatePreMem.c| 39 + .../PeiSaPolicyUpdate.c | 158 + .../PeiSaPolicyUpdate.h | 45 + .../PeiSaPolicyUpdatePreMem.c | 124 + .../PeiSiliconPolicyUpdateLibFsp.inf | 144 + .../FspWrapperPlatformSecLib.c| 186 + .../SecFspWrapperPlatformSecLib/FsptCoreUpd.h | 40 + .../SecFspWrapperPlatformSecLib/Ia32/Fsp.h| 42 + .../Ia32/PeiCoreEntry.nasm| 130 + .../Ia32/SecEntry.nasm| 361 ++ .../Ia32/Stack.nasm | 72 + .../PlatformInit.c| 47 + .../SecFspWrapperPlatformSecLib.inf | 105 + .../SecGetPerformance.c | 89 + .../SecPlatformInformation.c | 78 + .../SecRamInitData.c | 55 + .../SecTempRamDone.c | 93 + .../UpXtreme/Include/Fdf/FlashMapInclude.fdf | 51 + .../Include/Library/PeiPlatformHookLib.h | 131 + .../UpXtreme/Include/Library/PeiPlatformLib.h | 38 + .../UpXtreme/Include/PlatformBoardConfig.h| 103 + .../UpXtreme/Include/PlatformInfo.h | 42 + .../Library/BaseFuncLib/BaseFuncLib.inf | 33 + .../UpXtreme/Library/BaseFuncLib/Gop.c| 38 + .../BaseGpioCheckConflictLib.c| 137 + .../BaseGpioCheckConflictLib.inf | 35 + .../BaseGpioCheckConflictLibNull.c| 37 + .../BaseGpioCheckConflictLibNull.inf | 32 + .../BasePlatformHookLib/BasePlatformHookLib.c | 143 + .../BasePlatformHookLib.inf | 45 + .../BoardAcpiLib/SmmBoardAcpiEnableLib.c | 63 + .../BoardAcpiLib/SmmBoardAcpiEnableLib.inf| 50 + .../SmmMultiBoardAcpiSupportLib.c | 82 + .../SmmMultiBoardAcpiSupportLib.inf | 50 + .../BoardAcpiLib/SmmSiliconAcpiEnableLib.c| 170 + .../BoardAcpiLib/SmmUpXtremeAcpiEnableLib.c | 40 + .../BoardInitLib/BoardFuncInitPreMem.c| 25 + .../Library/BoardInitLib/BoardInitLib.h | 20 + .../BoardInitLib/BoardPchInitPreMemLib.c | 383 +++ .../BoardInitLib/BoardSaConfigPreMem.h| 79 + .../BoardInitLib/BoardSaInitPreMemLib.c | 298 ++ .../Library/BoardInitLib/GpioTableDefault.c | 213 ++ .../Library/BoardInitLib/GpioTableUpXtreme.c | 217 ++ .../Library/BoardInitLib/PchHdaVerbTables.h | 3014 + .../BoardInitLib/PeiBoardInitPostMemLib.c | 40 + .../BoardInitLib/PeiBoardInitPostMemLib.inf | 57 + .../BoardInitLib/PeiBoardInitPreMemLib.c | 106 + .../BoardInitLib/PeiBoardInitPreMemLib.inf| 124 + .../PeiMultiBoardInitPostMemLib.c | 41 + .../PeiMultiBoardInitPostMemLib.inf | 202 ++ .../BoardInitLib/PeiMultiBoardInitPreMemLib.c | 83 + .../PeiMultiBoardInitPreMemLib.inf| 301 ++ .../Library/BoardInitLib/PeiUpXtremeDetect.c | 192 ++ .../BoardInitLib/PeiUpXtremeInitPostMemLib.c | 416 +++ .../BoardInitLib/PeiUpXtremeInitPreMemLib.c | 619 .../BoardInitLib/UpXtremeHsioPtssTables.c | 32 + .../Library/BoardInitLib/UpXtremeInit.h | 44 + .../Library/BoardInitLib/UpXtremeSpdTable.c | 87 + .../DxePolicyBoardConfig.h| 19 + .../DxePolicyBoardConfigLib.inf | 45 + .../DxeSaPolicyBoardConfig.c | 36 + .../PeiPlatformHookLib/PeiPlatformHookLib.c | 298 ++ .../PeiPlatformHookLib/PeiPlatformHookLib.inf | 95 + .../PeiCpuPolicyBoardConfig.c | 49 + .../PeiCpuPolicyBoardConfigPreMem.c | 29 + .../PeiMePolicyBoardConfig.c | 36 + .../PeiMePolicyBoardConfigPreMem.c| 37 +
[edk2-devel] [edk2-platforms] [PATCH v2 4/4] WhiskeylakeOpenBoardPkg/UpXtreme: Add DSC and build files
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=2191 Adds the DSC and build files necessary to build the UpXtreme board instance. Key files = * build_config.cfg - Board-specific build configuration file. * OpenBoardPkg.dsc - The UpXtreme board description file. * OpenBoardPkgPcd.dsc - Used for other PCD customization. * OpenBoardPkg.fdf - The UpXtreme board flash file. * OpenBoardPkgBuildOption.dsc - Sets build options Based on PCD values. Co-authored-by: Michael Kubacki Cc: Chasel Chiu Cc: Nate DeSimone Signed-off-by: Prince Agyeman --- Platform/Intel/Readme.md | 19 +- .../UpXtreme/OpenBoardPkg.dsc | 448 +++ .../UpXtreme/OpenBoardPkg.fdf | 708 ++ .../UpXtreme/OpenBoardPkgBuildOption.dsc | 154 .../UpXtreme/OpenBoardPkgPcd.dsc | 409 ++ .../UpXtreme/build_config.cfg | 35 + Platform/Intel/build.cfg | 1 + 7 files changed, 1772 insertions(+), 2 deletions(-) create mode 100644 Platform/Intel/WhiskeylakeOpenBoardPkg/UpXtreme/OpenBoardPkg.dsc create mode 100644 Platform/Intel/WhiskeylakeOpenBoardPkg/UpXtreme/OpenBoardPkg.fdf create mode 100644 Platform/Intel/WhiskeylakeOpenBoardPkg/UpXtreme/OpenBoardPkgBuildOption.dsc create mode 100644 Platform/Intel/WhiskeylakeOpenBoardPkg/UpXtreme/OpenBoardPkgPcd.dsc create mode 100644 Platform/Intel/WhiskeylakeOpenBoardPkg/UpXtreme/build_config.cfg diff --git a/Platform/Intel/Readme.md b/Platform/Intel/Readme.md index 02d9517d19..55cf02a8ca 100644 --- a/Platform/Intel/Readme.md +++ b/Platform/Intel/Readme.md @@ -59,6 +59,12 @@ A UEFI firmware implementation using MinPlatformPkg is constructed using the fol ### **Supported Hardware** + AAEON + +| Machine Name | Supported Chipsets | BoardPkg | Board Name | +||--|| +| UP Xtreme | Whiskey Lake | WhiskeylakeOpenBoardPkg | UpXtreme | + Intel ***Intel Reference and Validation Platform*** @@ -233,6 +239,9 @@ return back to the minimum platform caller. | || build settings, environment variables. | || | ||--WhiskeylakeOpenBoardPkg + | || |--UpXtreme + | || |---build_config.cfg: UpXtreme specific build + | || settings environment variables. | || |--WhiskeylakeURvp | || |---build_config.cfg: WhiskeylakeURvp specific build | || settings environment variables. @@ -254,8 +263,14 @@ return back to the minimum platform caller. 1. This firmware project has only been tested booting to Microsoft Windows 10 x64 and Ubuntu 17.10 with AHCI mode. **WhiskeylakeOpenBoardPkg** -1. This firmware project has only been tested booting to Microsoft Windows 10 x64 with AHCI mode and Integrated Graphic +1. This firmware project has mainly been tested booting to Microsoft Windows 10 x64 with AHCI mode and Integrated Graphic Device. +2. UP Xtreme boards might hang during Windows 10 boot. +3. Not all UP Xtreme boards are supported at this time. +* The model below boots to x64 windows 10 home edition and Ubuntu 18.04 + * Xtreme Intel(R) Core(TM) i3-8145UE CPU @ 2.20GHz with 8GB RAM + * Xtreme Intel(R) Core(TM) i7-8565U CPU @ 1.80GHz with 16GB RAM +* Intel(R) Celeron(R) CPU 4305UE @ 2.00GHz with 4GB RAM hangs during memory initialization ### **Package Builds** @@ -293,5 +308,5 @@ If you would like to help but are not sure where to start some areas currently i * Adding board ports for more motherboards and systems * Adding Clang support -Please feel free to contact Michael Kubacki (michael.a.kubacki at intel.com) and Isaac Oram (isaac.w.oram at intel.com) +Please feel free to contact Isaac Oram (isaac.w.oram at intel.com) if you would like to discuss contribution ideas. diff --git a/Platform/Intel/WhiskeylakeOpenBoardPkg/UpXtreme/OpenBoardPkg.dsc b/Platform/Intel/WhiskeylakeOpenBoardPkg/UpXtreme/OpenBoardPkg.dsc new file mode 100644 index 00..2ab9cb03ea --- /dev/null +++ b/Platform/Intel/WhiskeylakeOpenBoardPkg/UpXtreme/OpenBoardPkg.dsc @@ -0,0 +1,448 @@ +## @file +# The main build description file for the UpXtreme board. +# +# Copyright (c) 2020, Intel Corporation. All rights reserved. +# +# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + DEFINE PLATFORM_PACKAGE = MinPlatformPkg + DEFINE PLATFORM_SI_PACKAGE
[edk2-devel] [edk2-platforms] [PATCH v2 2/4] WhiskeylakeOpenBoardPkg: Add UpXtreme board ID
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=2191 Co-authored-by: Michael Kubacki Cc: Chasel Chiu Cc: Nate DeSimone Signed-off-by: Prince Agyeman --- .../Intel/WhiskeylakeOpenBoardPkg/Include/PlatformBoardId.h | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Platform/Intel/WhiskeylakeOpenBoardPkg/Include/PlatformBoardId.h b/Platform/Intel/WhiskeylakeOpenBoardPkg/Include/PlatformBoardId.h index 3545b2a05c..4e8288b1f1 100644 --- a/Platform/Intel/WhiskeylakeOpenBoardPkg/Include/PlatformBoardId.h +++ b/Platform/Intel/WhiskeylakeOpenBoardPkg/Include/PlatformBoardId.h @@ -1,8 +1,8 @@ /** @file -Defines Platform BoardIds + Defines Whiskey Lake Platform Board IDs - Copyright (c) 2019, Intel Corporation. All rights reserved. + Copyright (c) 2019 - 2020, Intel Corporation. All rights reserved. SPDX-License-Identifier: BSD-2-Clause-Patent **/ @@ -21,6 +21,7 @@ Defines Platform BoardIds #define TypeTrad0x1 #define TypeUltUlx 0x2 +#define BoardIdUpXtreme 0x10 #define BoardIdWhiskeyLakeRvp 0x60 #define BoardIdUnknown1 0x -- 2.19.1.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#54378): https://edk2.groups.io/g/devel/message/54378 Mute This Topic: https://groups.io/mt/71247731/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [edk2-platforms] [PATCH v2 1/4] WhiskeylakeOpenBoardPkg/WhiskeylakeURvp: Remove BoardFuncInit
Removes BoardFuncInit related functionality in WhiskeylakeURvp.
Co-authored-by: Michael Kubacki
Cc: Chasel Chiu
Cc: Nate DeSimone
Signed-off-by: Prince Agyeman
---
.../Library/BoardInitLib/BoardFunc.c | 19
.../Library/BoardInitLib/BoardFunc.h | 20 -
.../Library/BoardInitLib/BoardFuncInit.c | 26 -
.../BoardInitLib/BoardFuncInitPreMem.c| 29 +--
.../BoardInitLib/BoardPchInitPreMemLib.c | 3 +-
.../PeiMultiBoardInitPostMemLib.inf | 4 ---
.../PeiWhiskeylakeURvpInitPostMemLib.c| 8 -
.../PeiWhiskeylakeURvpInitPreMemLib.c | 10 +--
8 files changed, 9 insertions(+), 110 deletions(-)
delete mode 100644
Platform/Intel/WhiskeylakeOpenBoardPkg/WhiskeylakeURvp/Library/BoardInitLib/BoardFunc.c
delete mode 100644
Platform/Intel/WhiskeylakeOpenBoardPkg/WhiskeylakeURvp/Library/BoardInitLib/BoardFunc.h
delete mode 100644
Platform/Intel/WhiskeylakeOpenBoardPkg/WhiskeylakeURvp/Library/BoardInitLib/BoardFuncInit.c
diff --git
a/Platform/Intel/WhiskeylakeOpenBoardPkg/WhiskeylakeURvp/Library/BoardInitLib/BoardFunc.c
b/Platform/Intel/WhiskeylakeOpenBoardPkg/WhiskeylakeURvp/Library/BoardInitLib/BoardFunc.c
deleted file mode 100644
index 7a2fed9904..00
---
a/Platform/Intel/WhiskeylakeOpenBoardPkg/WhiskeylakeURvp/Library/BoardInitLib/BoardFunc.c
+++ /dev/null
@@ -1,19 +0,0 @@
-/** @file
- Board's PCD function hook.
-
-
- Copyright (c) 2019, Intel Corporation. All rights reserved.
- SPDX-License-Identifier: BSD-2-Clause-Patent
-**/
-
-#include
-
-EFI_STATUS
-PeiBoardSpecificInitPostMemNull (
- VOID
- )
-{
- return EFI_SUCCESS;
-}
-
-
diff --git
a/Platform/Intel/WhiskeylakeOpenBoardPkg/WhiskeylakeURvp/Library/BoardInitLib/BoardFunc.h
b/Platform/Intel/WhiskeylakeOpenBoardPkg/WhiskeylakeURvp/Library/BoardInitLib/BoardFunc.h
deleted file mode 100644
index 9e0ff8d033..00
---
a/Platform/Intel/WhiskeylakeOpenBoardPkg/WhiskeylakeURvp/Library/BoardInitLib/BoardFunc.h
+++ /dev/null
@@ -1,20 +0,0 @@
-/** @file
- Header file for Board Hook function intance.
-
-
- Copyright (c) 2019, Intel Corporation. All rights reserved.
- SPDX-License-Identifier: BSD-2-Clause-Patent
-**/
-
-#ifndef _BOARD_FUNC_H_
-#define _BOARD_FUNC_H_
-
-#include
-
-EFI_STATUS
-PeiBoardSpecificInitPostMemNull (
- VOID
- );
-
-#endif // _BOARD_FUNC_H_
-
diff --git
a/Platform/Intel/WhiskeylakeOpenBoardPkg/WhiskeylakeURvp/Library/BoardInitLib/BoardFuncInit.c
b/Platform/Intel/WhiskeylakeOpenBoardPkg/WhiskeylakeURvp/Library/BoardInitLib/BoardFuncInit.c
deleted file mode 100644
index b8c69166ed..00
---
a/Platform/Intel/WhiskeylakeOpenBoardPkg/WhiskeylakeURvp/Library/BoardInitLib/BoardFuncInit.c
+++ /dev/null
@@ -1,26 +0,0 @@
-/** @file
- Source code for the board configuration init function in Post Memory init
phase.
-
-
- Copyright (c) 2019, Intel Corporation. All rights reserved.
- SPDX-License-Identifier: BSD-2-Clause-Patent
-**/
-
-#include "BoardFunc.h"
-
-/**
- Board's PCD function hook init function for PEI post memory phase.
-
- @param[in] BoardId An unsigned integrer represent the board id.
-
- @retval EFI_SUCCESS The function completed successfully.
-**/
-EFI_STATUS
-BoardFunctionInit (
- IN UINT16 BoardId
-)
-{
-
- return EFI_SUCCESS;
-}
-
diff --git
a/Platform/Intel/WhiskeylakeOpenBoardPkg/WhiskeylakeURvp/Library/BoardInitLib/BoardFuncInitPreMem.c
b/Platform/Intel/WhiskeylakeOpenBoardPkg/WhiskeylakeURvp/Library/BoardInitLib/BoardFuncInitPreMem.c
index 1944a02bf1..06ff64da8d 100644
---
a/Platform/Intel/WhiskeylakeOpenBoardPkg/WhiskeylakeURvp/Library/BoardInitLib/BoardFuncInitPreMem.c
+++
b/Platform/Intel/WhiskeylakeOpenBoardPkg/WhiskeylakeURvp/Library/BoardInitLib/BoardFuncInitPreMem.c
@@ -2,39 +2,24 @@
Source code for the board configuration init function in Post Memory init
phase.
- Copyright (c) 2019, Intel Corporation. All rights reserved.
+ Copyright (c) 2019 - 2020, Intel Corporation. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#include
+
//
// Null function for nothing GOP VBT update.
//
VOID
-GopVbtSpecificUpdateNull(
+GopVbtSpecificUpdateNull (
IN CHILD_STRUCT **ChildStructPtr
-);
+ );
+
//
// for CFL U DDR4
//
VOID
-CflUDdr4GopVbtSpecificUpdate(
+CflUDdr4GopVbtSpecificUpdate (
IN CHILD_STRUCT **ChildStructPtr
-);
-/**
- Board's PCD function hook init function for PEI post memory phase.
-
- @param[in] BoardId An unsigned integrer represent the board id.
-
- @retval EFI_SUCCESS The function completed successfully.
-**/
-EFI_STATUS
-BoardFunctionInitPreMem (
- IN UINT16 BoardId
- )
-{
-
- return EFI_SUCCESS;
-}
-
-
+ );
diff --git
a/Platform/Intel/WhiskeylakeOpenBoardPkg/WhiskeylakeURvp/Library/BoardInitLib/BoardPchInitPreMemLib.c
b/Platform/Intel/WhiskeylakeOpenBoardPkg/WhiskeylakeURvp/Library/BoardInitLib/BoardPchInitPreMemLib.c
index 5305ec7f7c..1f778c4f7e 100644
---
Re: [edk2-devel] [edk2-platforms] [PATCH v2 0/5] Platform/ARM/SgiPkg: Add support for RD-N1-Edge-Dual platform
On the whole, looks good. If you can resubmit v3 versions of patches 2-3 only based on feedback, that would suffice. On a separate note: Could someone in ARM take an action item to go and figure out who should be default reviewer for the various ARM ltd platforms (virtual or not), and submit a patch to Maintainers.txt adding some R:? Best Regards, Leif On Wed, Feb 12, 2020 at 18:59:22 +0530, Vijayenthiran Subramaniam wrote: > Changes since v1: > - Fix typo which caused build error > > This patch series adds support for RD-N1-Edge platform with multi-chip > capability. The first patch in this series is an improvement to SgiPkg to > avoid > any usage of deprecated APIs. The second patch refactors the existing code to > use lookup table in order to identify the platform. The rest of the patch adds > multi-chip support for the RD-N1-Edge platform. > > Vijayenthiran Subramaniam (5): > Platform/ARM/SgiPkg: Disable use of deprecated APIs > Platform/ARM/SgiPkg: Use lookup table to install ACPI table > Platform/ARM/SgiPkg: Add MultiChipMode to Platform Descriptor > Platform/ARM/Sgi: Add ACPI tables for dual-chip RD-N1-Edge platform > Platform/ARM/Sgi: Add initial support for RD-N1-Edge-Dual platform > > Platform/ARM/SgiPkg/SgiPlatform.dec | 1 + > Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc | 3 + > Platform/ARM/SgiPkg/SgiPlatform.dsc | 4 + > Platform/ARM/SgiPkg/SgiPlatform.fdf | 1 + > Platform/ARM/SgiPkg/AcpiTables/RdN1EdgeX2AcpiTables.inf | 59 ++ > Platform/ARM/SgiPkg/Drivers/PlatformDxe/PlatformDxe.inf | 1 + > Platform/ARM/SgiPkg/Include/SgiPlatform.h| 7 + > Platform/ARM/SgiPkg/Drivers/PlatformDxe/PlatformDxe.c| 61 +- > Platform/ARM/SgiPkg/Library/SgiPlatformPei/SgiPlatformPeim.c | 8 + > Platform/ARM/SgiPkg/AcpiTables/RdN1EdgeX2/Madt.aslc | 198 > > 10 files changed, 333 insertions(+), 10 deletions(-) > create mode 100644 Platform/ARM/SgiPkg/AcpiTables/RdN1EdgeX2AcpiTables.inf > create mode 100644 Platform/ARM/SgiPkg/AcpiTables/RdN1EdgeX2/Madt.aslc > > -- > 2.7.4 > -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#54375): https://edk2.groups.io/g/devel/message/54375 Mute This Topic: https://groups.io/mt/71211937/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [edk2-platforms] [PATCH v2 4/5] Platform/ARM/Sgi: Add ACPI tables for dual-chip RD-N1-Edge platform
On Wed, Feb 12, 2020 at 18:59:26 +0530, Vijayenthiran Subramaniam wrote:
> RD-N1-Edge supports a dual-chip configuration in which two RD-N1-Edge
> platforms are connected through high speed CCIX link. In this dual-chip
> configuration, the CPU and core GIC Redistributors count are doubled.
> Add ACPI tables for dual-chip RD-N1-Edge platform.
>
> Signed-off-by: Vijayenthiran Subramaniam
I have not verified the correctness of the ACPI contents, but on the
whole:
Reviewed-by: Leif Lindholm
/
Leif
> ---
> Platform/ARM/SgiPkg/SgiPlatform.dec | 1 +
> Platform/ARM/SgiPkg/SgiPlatform.dsc | 1 +
> Platform/ARM/SgiPkg/SgiPlatform.fdf | 1 +
> Platform/ARM/SgiPkg/AcpiTables/RdN1EdgeX2AcpiTables.inf | 59 ++
> Platform/ARM/SgiPkg/Include/SgiPlatform.h | 3 +
> Platform/ARM/SgiPkg/AcpiTables/RdN1EdgeX2/Madt.aslc | 198
>
> 6 files changed, 263 insertions(+)
>
> diff --git a/Platform/ARM/SgiPkg/SgiPlatform.dec
> b/Platform/ARM/SgiPkg/SgiPlatform.dec
> index 229552ea7842..9d70ec66 100644
> --- a/Platform/ARM/SgiPkg/SgiPlatform.dec
> +++ b/Platform/ARM/SgiPkg/SgiPlatform.dec
> @@ -28,6 +28,7 @@ [Guids.common]
>gArmSgiTokenSpaceGuid = { 0x577d6941, 0xaea1, 0x40b4, { 0x90, 0x93,
> 0x2a, 0x86, 0x61, 0x72, 0x5a, 0x57 } }
>gSgi575AcpiTablesFileGuid = { 0xc712719a, 0x0aaf, 0x438c, { 0x9c, 0xdd,
> 0x35, 0xab, 0x4d, 0x60, 0x20, 0x7d } }
>gRdN1EdgeAcpiTablesFileGuid = { 0x4b0b91d0, 0x4a05, 0x45c4, { 0x88, 0xa7,
> 0x88, 0xe1, 0x70, 0xe7, 0x66, 0x94 } }
> + gRdN1EdgeX2AcpiTablesFileGuid = { 0x82a34150, 0x0fc6, 0x45f4, { 0x8e,
> 0xa0, 0xf0, 0xa4, 0x66, 0x0c, 0xf3, 0x5d } }
>gRdE1EdgeAcpiTablesFileGuid = { 0x2af40815, 0xa84e, 0x4de9, { 0x8c, 0x38,
> 0x91, 0x40, 0xb3, 0x54, 0x40, 0x73 } }
>
> [PcdsFeatureFlag.common]
> diff --git a/Platform/ARM/SgiPkg/SgiPlatform.dsc
> b/Platform/ARM/SgiPkg/SgiPlatform.dsc
> index e38cc7da52a5..5226c5751e98 100644
> --- a/Platform/ARM/SgiPkg/SgiPlatform.dsc
> +++ b/Platform/ARM/SgiPkg/SgiPlatform.dsc
> @@ -279,6 +279,7 @@ [Components.common]
>MdeModulePkg/Universal/Acpi/AcpiTableDxe/AcpiTableDxe.inf
>Platform/ARM/SgiPkg/AcpiTables/Sgi575AcpiTables.inf
>Platform/ARM/SgiPkg/AcpiTables/RdN1EdgeAcpiTables.inf
> + Platform/ARM/SgiPkg/AcpiTables/RdN1EdgeX2AcpiTables.inf
>Platform/ARM/SgiPkg/AcpiTables/RdE1EdgeAcpiTables.inf
>MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf
>
> diff --git a/Platform/ARM/SgiPkg/SgiPlatform.fdf
> b/Platform/ARM/SgiPkg/SgiPlatform.fdf
> index 44e571a184bf..3d13998015b9 100644
> --- a/Platform/ARM/SgiPkg/SgiPlatform.fdf
> +++ b/Platform/ARM/SgiPkg/SgiPlatform.fdf
> @@ -101,6 +101,7 @@ [FV.FvMain]
>INF MdeModulePkg/Universal/Acpi/AcpiTableDxe/AcpiTableDxe.inf
>INF RuleOverride=ACPITABLE
> Platform/ARM/SgiPkg/AcpiTables/Sgi575AcpiTables.inf
>INF RuleOverride=ACPITABLE
> Platform/ARM/SgiPkg/AcpiTables/RdN1EdgeAcpiTables.inf
> + INF RuleOverride=ACPITABLE
> Platform/ARM/SgiPkg/AcpiTables/RdN1EdgeX2AcpiTables.inf
>INF RuleOverride=ACPITABLE
> Platform/ARM/SgiPkg/AcpiTables/RdE1EdgeAcpiTables.inf
>INF MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf
>
> diff --git a/Platform/ARM/SgiPkg/AcpiTables/RdN1EdgeX2AcpiTables.inf
> b/Platform/ARM/SgiPkg/AcpiTables/RdN1EdgeX2AcpiTables.inf
> new file mode 100644
> index ..1b584b152455
> --- /dev/null
> +++ b/Platform/ARM/SgiPkg/AcpiTables/RdN1EdgeX2AcpiTables.inf
> @@ -0,0 +1,59 @@
> +## @file
> +# ACPI table data and ASL sources required to boot the platform.
> +#
> +# Copyright (c) 2020, ARM Ltd. All rights reserved.
> +#
> +# SPDX-License-Identifier: BSD-2-Clause-Patent
> +#
> +##
> +
> +[Defines]
> + INF_VERSION= 0x0001001A
> + BASE_NAME = RdN1EdgeX2AcpiTables
> + FILE_GUID = 82a34150-0fc6-45f4-8ea0-f0a4660cf35d
> + MODULE_TYPE= USER_DEFINED
> + VERSION_STRING = 1.0
> +
> +[Sources]
> + Dbg2.aslc
> + Fadt.aslc
> + Gtdt.aslc
> + Iort.aslc
> + Mcfg.aslc
> + RdN1Edge/Dsdt.asl
> + RdN1EdgeX2/Madt.aslc
> + Spcr.aslc
> + Ssdt.asl
> +
> +[Packages]
> + ArmPkg/ArmPkg.dec
> + ArmPlatformPkg/ArmPlatformPkg.dec
> + EmbeddedPkg/EmbeddedPkg.dec
> + MdePkg/MdePkg.dec
> + Platform/ARM/SgiPkg/SgiPlatform.dec
> +
> +[FixedPcd]
> + gArmPlatformTokenSpaceGuid.PcdCoreCount
> + gArmPlatformTokenSpaceGuid.PcdClusterCount
> + gArmPlatformTokenSpaceGuid.PcdSerialDbgRegisterBase
> + gArmPlatformTokenSpaceGuid.PL011UartInterrupt
> +
> + gArmTokenSpaceGuid.PcdArmArchTimerSecIntrNum
> + gArmTokenSpaceGuid.PcdArmArchTimerIntrNum
> + gArmTokenSpaceGuid.PcdArmArchTimerHypIntrNum
> + gArmTokenSpaceGuid.PcdArmArchTimerVirtIntrNum
> + gArmTokenSpaceGuid.PcdGicDistributorBase
> + gArmTokenSpaceGuid.PcdGicRedistributorsBase
> + gArmTokenSpaceGuid.PcdGenericWatchdogControlBase
> +
Re: [edk2-devel] [edk2-platforms] [PATCH v2 5/5] Platform/ARM/Sgi: Add initial support for RD-N1-Edge-Dual platform
On Wed, Feb 12, 2020 at 18:59:27 +0530, Vijayenthiran Subramaniam wrote:
> For RD-N1-Edge platforms, use multi-chip-mode information from the
> SGI platform descriptor HOB to pick the correct ACPI table to be
> installed.
>
> Signed-off-by: Vijayenthiran Subramaniam
Reviewed-by: Leif Lindholm
> ---
> Platform/ARM/SgiPkg/Drivers/PlatformDxe/PlatformDxe.inf | 1 +
> Platform/ARM/SgiPkg/Drivers/PlatformDxe/PlatformDxe.c | 5 +
> 2 files changed, 6 insertions(+)
>
> diff --git a/Platform/ARM/SgiPkg/Drivers/PlatformDxe/PlatformDxe.inf
> b/Platform/ARM/SgiPkg/Drivers/PlatformDxe/PlatformDxe.inf
> index a95c0d16..741dcc75ed6a 100644
> --- a/Platform/ARM/SgiPkg/Drivers/PlatformDxe/PlatformDxe.inf
> +++ b/Platform/ARM/SgiPkg/Drivers/PlatformDxe/PlatformDxe.inf
> @@ -32,6 +32,7 @@ [Guids]
>gArmSgiPlatformIdDescriptorGuid
>gSgi575AcpiTablesFileGuid
>gRdN1EdgeAcpiTablesFileGuid
> + gRdN1EdgeX2AcpiTablesFileGuid
>gRdE1EdgeAcpiTablesFileGuid
>
> [FeaturePcd]
> diff --git a/Platform/ARM/SgiPkg/Drivers/PlatformDxe/PlatformDxe.c
> b/Platform/ARM/SgiPkg/Drivers/PlatformDxe/PlatformDxe.c
> index a2250a37bb57..3ef775187ac6 100644
> --- a/Platform/ARM/SgiPkg/Drivers/PlatformDxe/PlatformDxe.c
> +++ b/Platform/ARM/SgiPkg/Drivers/PlatformDxe/PlatformDxe.c
> @@ -38,6 +38,11 @@ STATIC SGI_PLATFORM_ACPI_TABLE_GUID_LOOKUP
> AcpiTableGuidLookup[] = {
>),
>ACPI_GUID_LOOKUP (
>RD_N1E1_EDGE_PART_NUM,
> + RD_N1_EDGE_CONF_ID,
> + MULTI_CHIP_MODE_ENABLED,
> + ),
> + ACPI_GUID_LOOKUP (
> + RD_N1E1_EDGE_PART_NUM,
>RD_E1_EDGE_CONF_ID,
>MULTI_CHIP_MODE_DISABLED,
>),
> --
> 2.7.4
>
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#54374): https://edk2.groups.io/g/devel/message/54374
Mute This Topic: https://groups.io/mt/71211949/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [edk2-platforms] [PATCH v2 3/5] Platform/ARM/SgiPkg: Add MultiChipMode to Platform Descriptor
On Wed, Feb 12, 2020 at 18:59:25 +0530, Vijayenthiran Subramaniam wrote:
> The 'system-id' node of HW_CONFIG device tree has been updated to have
> a new property 'multi-chip-mode' which holds the information about the
> multi-chip-mode support. To adapt to this change, add 'MultiChipMode'
> member to SGI_PLATFORM_DESCRIPTOR structure to get 'multi-chip-mode'
> property from fdt.
>
> Signed-off-by: Vijayenthiran Subramaniam
Apart from the "i" variable:
Reviewed-by: Leif Lindholm
As long as that is the only thing that changes, please keep that R-b
when sending out v3.
/
Leif
> ---
> Platform/ARM/SgiPkg/Include/SgiPlatform.h| 4
> Platform/ARM/SgiPkg/Drivers/PlatformDxe/PlatformDxe.c| 13
> ++---
> Platform/ARM/SgiPkg/Library/SgiPlatformPei/SgiPlatformPeim.c | 8
> 3 files changed, 22 insertions(+), 3 deletions(-)
>
> diff --git a/Platform/ARM/SgiPkg/Include/SgiPlatform.h
> b/Platform/ARM/SgiPkg/Include/SgiPlatform.h
> index e4a2e8cc0971..7c9322d1cda9 100644
> --- a/Platform/ARM/SgiPkg/Include/SgiPlatform.h
> +++ b/Platform/ARM/SgiPkg/Include/SgiPlatform.h
> @@ -79,10 +79,14 @@
> #define SGI_CONFIG_SHIFT 0x1C
> #define SGI_PART_NUM_MASK 0xFFF
>
> +#define MULTI_CHIP_MODE_DISABLED 0x0
> +#define MULTI_CHIP_MODE_ENABLED 0x1
> +
> // ARM platform description data.
> typedef struct {
>UINTN PlatformId;
>UINTN ConfigId;
> + UINTN MultiChipMode;
> } SGI_PLATFORM_DESCRIPTOR;
>
> #endif // __SGI_PLATFORM_H__
> diff --git a/Platform/ARM/SgiPkg/Drivers/PlatformDxe/PlatformDxe.c
> b/Platform/ARM/SgiPkg/Drivers/PlatformDxe/PlatformDxe.c
> index 4ab0dd768cd1..a2250a37bb57 100644
> --- a/Platform/ARM/SgiPkg/Drivers/PlatformDxe/PlatformDxe.c
> +++ b/Platform/ARM/SgiPkg/Drivers/PlatformDxe/PlatformDxe.c
> @@ -17,10 +17,10 @@ typedef struct {
> } SGI_PLATFORM_ACPI_TABLE_GUID_LOOKUP;
>
> // Macro to construct the SGI_PLATFORM_ACPI_TABLE_GUID_LOOKUP structure
> -#define ACPI_GUID_LOOKUP(PART_NUM, CONFIG_NUM, GUID)
> \
> +#define ACPI_GUID_LOOKUP(PART_NUM, CONFIG_NUM, MULTI_CHIP_MODE, GUID)
> \
> {
> \
>{
> \
> -PART_NUM, CONFIG_NUM
> \
> +PART_NUM, CONFIG_NUM, MULTI_CHIP_MODE
> \
>},
> \
>GUID
> \
> }
> \
> @@ -29,14 +29,17 @@ STATIC SGI_PLATFORM_ACPI_TABLE_GUID_LOOKUP
> AcpiTableGuidLookup[] = {
>ACPI_GUID_LOOKUP (
>SGI575_PART_NUM,
>SGI575_CONF_NUM,
> + MULTI_CHIP_MODE_DISABLED,
>),
>ACPI_GUID_LOOKUP (
>RD_N1E1_EDGE_PART_NUM,
>RD_N1_EDGE_CONF_ID,
> + MULTI_CHIP_MODE_DISABLED,
>),
>ACPI_GUID_LOOKUP (
>RD_N1E1_EDGE_PART_NUM,
>RD_E1_EDGE_CONF_ID,
> + MULTI_CHIP_MODE_DISABLED,
>),
> };
>
> @@ -58,6 +61,7 @@ ArmSgiPkgEntryPoint (
>UINT8 i;
>UINT32 ConfigId;
>UINT32 PartNum;
> + UINT32 MultiChipMode;
>
>SystemIdHob = GetFirstGuidHob ();
>if (SystemIdHob == NULL) {
> @@ -69,13 +73,16 @@ ArmSgiPkgEntryPoint (
>
>PartNum = HobData->PlatformId;
>ConfigId = HobData->ConfigId;
> + MultiChipMode = HobData->MultiChipMode;
>
>Status = EFI_UNSUPPORTED;
>
>// Walk through the AcpiTableGuidLookup lookup array
>for (i = 0; i < ARRAY_SIZE (AcpiTableGuidLookup); i++) {
> if ((PartNum == AcpiTableGuidLookup[i].SgiPlafromDescriptor.PlatformId)
> &&
> -(ConfigId == AcpiTableGuidLookup[i].SgiPlafromDescriptor.ConfigId)) {
> +(ConfigId == AcpiTableGuidLookup[i].SgiPlafromDescriptor.ConfigId)
> &&
> +(MultiChipMode ==
> + AcpiTableGuidLookup[i].SgiPlafromDescriptor.MultiChipMode)) {
>Status = LocateAndInstallAcpiFromFv
> (AcpiTableGuidLookup[i].AcpiTableGuid);
>break;
> }
> diff --git a/Platform/ARM/SgiPkg/Library/SgiPlatformPei/SgiPlatformPeim.c
> b/Platform/ARM/SgiPkg/Library/SgiPlatformPei/SgiPlatformPeim.c
> index 4daa1832dfaf..7df52cc4fd7c 100644
> --- a/Platform/ARM/SgiPkg/Library/SgiPlatformPei/SgiPlatformPeim.c
> +++ b/Platform/ARM/SgiPkg/Library/SgiPlatformPei/SgiPlatformPeim.c
> @@ -75,6 +75,14 @@ GetSgiSystemId (
>
>HobData->ConfigId = fdt32_to_cpu (*Property);
>
> + Property = fdt_getprop (NtFwCfgDtBlob, Offset, "multi-chip-mode", NULL);
> + if (Property == NULL) {
> +DEBUG ((DEBUG_WARN, "multi-chip-mode property not found\n"));
> +
Re: [edk2-devel] [edk2-platforms] [PATCH v2 2/5] Platform/ARM/SgiPkg: Use lookup table to install ACPI table
On Wed, Feb 12, 2020 at 18:59:24 +0530, Vijayenthiran Subramaniam wrote:
> Use lookup table to identify the platform and install corresponding ACPI
> tables. As the number of supported platforms grow, the existing platform
> identification using if..else does not scale well.
>
> Signed-off-by: Vijayenthiran Subramaniam
> ---
> Platform/ARM/SgiPkg/Drivers/PlatformDxe/PlatformDxe.c | 49
>
> 1 file changed, 39 insertions(+), 10 deletions(-)
>
> diff --git a/Platform/ARM/SgiPkg/Drivers/PlatformDxe/PlatformDxe.c
> b/Platform/ARM/SgiPkg/Drivers/PlatformDxe/PlatformDxe.c
> index 09e00e5d538b..4ab0dd768cd1 100644
> --- a/Platform/ARM/SgiPkg/Drivers/PlatformDxe/PlatformDxe.c
> +++ b/Platform/ARM/SgiPkg/Drivers/PlatformDxe/PlatformDxe.c
> @@ -11,6 +11,35 @@
> #include
> #include
>
> +typedef struct {
> + SGI_PLATFORM_DESCRIPTOR SgiPlafromDescriptor;
> + CONST EFI_GUID*AcpiTableGuid;
> +} SGI_PLATFORM_ACPI_TABLE_GUID_LOOKUP;
> +
> +// Macro to construct the SGI_PLATFORM_ACPI_TABLE_GUID_LOOKUP structure
> +#define ACPI_GUID_LOOKUP(PART_NUM, CONFIG_NUM, GUID)
> \
> +{
> \
> + {
> \
> +PART_NUM, CONFIG_NUM
> \
> + },
> \
> + GUID
> \
> +}
> \
> +
> +STATIC SGI_PLATFORM_ACPI_TABLE_GUID_LOOKUP AcpiTableGuidLookup[] = {
> + ACPI_GUID_LOOKUP (
> + SGI575_PART_NUM,
> + SGI575_CONF_NUM,
> + ),
> + ACPI_GUID_LOOKUP (
> + RD_N1E1_EDGE_PART_NUM,
> + RD_N1_EDGE_CONF_ID,
> + ),
> + ACPI_GUID_LOOKUP (
> + RD_N1E1_EDGE_PART_NUM,
> + RD_E1_EDGE_CONF_ID,
> + ),
> +};
> +
> VOID
> InitVirtioDevices (
>VOID
> @@ -26,6 +55,7 @@ ArmSgiPkgEntryPoint (
>EFI_STATUS Status;
>VOID*SystemIdHob;
>SGI_PLATFORM_DESCRIPTOR *HobData;
> + UINT8 i;
Type should be UINTN.
"Index" or "Idx" would be more idiomatic.
/
Leif
>UINT32 ConfigId;
>UINT32 PartNum;
>
> @@ -40,16 +70,15 @@ ArmSgiPkgEntryPoint (
>PartNum = HobData->PlatformId;
>ConfigId = HobData->ConfigId;
>
> - if ((PartNum == SGI575_PART_NUM) && (ConfigId == SGI575_CONF_NUM)) {
> -Status = LocateAndInstallAcpiFromFv ();
> - } else if ((PartNum == RD_N1E1_EDGE_PART_NUM) &&
> - (ConfigId == RD_N1_EDGE_CONF_ID)) {
> -Status = LocateAndInstallAcpiFromFv ();
> - } else if ((PartNum == RD_N1E1_EDGE_PART_NUM) &&
> - (ConfigId == RD_E1_EDGE_CONF_ID)) {
> -Status = LocateAndInstallAcpiFromFv ();
> - } else {
> -Status = EFI_UNSUPPORTED;
> + Status = EFI_UNSUPPORTED;
> +
> + // Walk through the AcpiTableGuidLookup lookup array
> + for (i = 0; i < ARRAY_SIZE (AcpiTableGuidLookup); i++) {
> +if ((PartNum == AcpiTableGuidLookup[i].SgiPlafromDescriptor.PlatformId)
> &&
> +(ConfigId == AcpiTableGuidLookup[i].SgiPlafromDescriptor.ConfigId)) {
> + Status = LocateAndInstallAcpiFromFv
> (AcpiTableGuidLookup[i].AcpiTableGuid);
> + break;
> +}
>}
>
>if (EFI_ERROR (Status)) {
> --
> 2.7.4
>
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#54371): https://edk2.groups.io/g/devel/message/54371
Mute This Topic: https://groups.io/mt/71211940/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [edk2-platforms] [PATCH v2 1/5] Platform/ARM/SgiPkg: Disable use of deprecated APIs
On Wed, Feb 12, 2020 at 18:59:23 +0530, Vijayenthiran Subramaniam wrote: > Add the `DISABLE_NEW_DEPRECATED_INTERFACES` build option in DSC file to > make sure that the deprecated APIs are not used SgiPkg. > > Signed-off-by: Vijayenthiran Subramaniam Reviewed-by: Leif Lindholm > --- > Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc | 3 +++ > Platform/ARM/SgiPkg/SgiPlatform.dsc | 3 +++ > 2 files changed, 6 insertions(+) > > diff --git a/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc > b/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc > index 7ae19560eaca..38bf6020ba4c 100644 > --- a/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc > +++ b/Platform/ARM/SgiPkg/PlatformStandaloneMm.dsc > @@ -132,3 +132,6 @@ [Components.AARCH64] > > ### > [BuildOptions.AARCH64] >GCC:*_*_*_DLINK_FLAGS = -z common-page-size=0x1000 -march=armv8-a+nofp > + > +[BuildOptions] > + *_*_*_CC_FLAGS = -D DISABLE_NEW_DEPRECATED_INTERFACES > diff --git a/Platform/ARM/SgiPkg/SgiPlatform.dsc > b/Platform/ARM/SgiPkg/SgiPlatform.dsc > index a5b7eea1d3a8..e38cc7da52a5 100644 > --- a/Platform/ARM/SgiPkg/SgiPlatform.dsc > +++ b/Platform/ARM/SgiPkg/SgiPlatform.dsc > @@ -23,6 +23,9 @@ [Defines] > > !include Platform/ARM/VExpressPkg/ArmVExpress.dsc.inc > > +[BuildOptions] > + *_*_*_CC_FLAGS = -D DISABLE_NEW_DEPRECATED_INTERFACES > + > [LibraryClasses.common] >ArmLib|ArmPkg/Library/ArmLib/ArmBaseLib.inf >ArmMmuLib|ArmPkg/Library/ArmMmuLib/ArmMmuBaseLib.inf > -- > 2.7.4 > -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#54370): https://edk2.groups.io/g/devel/message/54370 Mute This Topic: https://groups.io/mt/71211938/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH 8/9] SecurityPkg/DxeImageVerificationLib: plug Data leak in IsForbiddenByDbx()(CVE-2019-14575)
On 2/6/20 3:19 PM, Wang, Jian J wrote:
From: Laszlo Ersek
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608
What a painful review...
If the second GetVariable() call for "dbx" fails, in IsForbiddenByDbx(),
we have to free Data. Jump to "Done" for that.
Cc: Jiewen Yao
Cc: Chao Zhang
Signed-off-by: Laszlo Ersek
---
.../Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git
a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
index 2236ce98ce..5b7a67f811 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -1274,7 +1274,7 @@ IsForbiddenByDbx (
Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1, , NULL, , (VOID *) Data);
if (EFI_ERROR (Status)) {
-return IsForbidden;
+goto Done;
}
//
Reviewed-by: Philippe Mathieu-Daudé
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#54369): https://edk2.groups.io/g/devel/message/54369
Mute This Topic: https://groups.io/mt/71023426/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH 1/9] SecurityPkg/DxeImageVerificationLib: Fix memory leaks(CVE-2019-14575)
On 2/6/20 3:19 PM, Wang, Jian J wrote: REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608 Pointer HashCtx used in IsCertHashFoundInDatabase() is not freed inside the while-loop, if it will run more than once. By extracting part of the code from the big while() statement into a new function, IsCertHashFoundInDatabase() would be easier to review (and this mistake could have been avoided). Cc: Jiewen Yao Cc: Chao Zhang Signed-off-by: Jian J Wang --- .../Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c index dbfbfcb4fb..74dbffa122 100644 --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c @@ -908,6 +908,9 @@ IsCertHashFoundInDatabase ( goto Done; } +FreePool (HashCtx); +HashCtx = NULL; + SiglistHeaderSize = sizeof (EFI_SIGNATURE_LIST) + DbxList->SignatureHeaderSize; CertHash = (EFI_SIGNATURE_DATA *) ((UINT8 *) DbxList + SiglistHeaderSize); CertHashCount = (DbxList->SignatureListSize - SiglistHeaderSize) / DbxList->SignatureSize; Reviewed-by: Philippe Mathieu-Daudé -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#54368): https://edk2.groups.io/g/devel/message/54368 Mute This Topic: https://groups.io/mt/71023417/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v2 1/1] CryptoPkg/OpensslLib: Remove "no-autoalginit" flag from OpenSSL build
Thanks for the patch. Two comments below. > -Original Message- > From: Zurcher, Christopher J > Sent: Thursday, February 13, 2020 11:34 AM > To: devel@edk2.groups.io > Cc: Wang, Jian J ; Lu, XiaoyuX > Subject: [PATCH v2 1/1] CryptoPkg/OpensslLib: Remove "no-autoalginit" flag > from OpenSSL build > > This is required for interfaces such as EVP to retrieve algorithms > by name. > > This commit also adds the "sort" keyword to the header file parsing loop > so the .inf files aren't randomized after every run of process_files.pl. > > Cc: Jian J Wang > Cc: Xiaoyu Lu > Signed-off-by: Christopher J Zurcher > --- > CryptoPkg/Library/OpensslLib/OpensslLib.inf | 64 ++-- > CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf | 60 +- > CryptoPkg/Library/Include/openssl/opensslconf.h | 3 - > CryptoPkg/Library/OpensslLib/process_files.pl | 5 +- > 4 files changed, 64 insertions(+), 68 deletions(-) > > diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf > b/CryptoPkg/Library/OpensslLib/OpensslLib.inf > index 3fa52f5543..5caffdb71e 100644 > --- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf > +++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf > @@ -494,57 +494,57 @@ >$(OPENSSL_PATH)/crypto/x509v3/v3_tlsf.c >$(OPENSSL_PATH)/crypto/x509v3/v3_utl.c >$(OPENSSL_PATH)/crypto/x509v3/v3err.c > - $(OPENSSL_PATH)/crypto/hmac/hmac_lcl.h > - $(OPENSSL_PATH)/crypto/dh/dh_locl.h > - $(OPENSSL_PATH)/crypto/bio/bio_lcl.h > - $(OPENSSL_PATH)/crypto/conf/conf_def.h > - $(OPENSSL_PATH)/crypto/conf/conf_lcl.h > - $(OPENSSL_PATH)/crypto/lhash/lhash_lcl.h > - $(OPENSSL_PATH)/crypto/sha/sha_locl.h > - $(OPENSSL_PATH)/crypto/md5/md5_locl.h > - $(OPENSSL_PATH)/crypto/store/store_locl.h > - $(OPENSSL_PATH)/crypto/dso/dso_locl.h > - $(OPENSSL_PATH)/crypto/pkcs12/p12_lcl.h >$(OPENSSL_PATH)/crypto/arm_arch.h >$(OPENSSL_PATH)/crypto/mips_arch.h >$(OPENSSL_PATH)/crypto/ppc_arch.h >$(OPENSSL_PATH)/crypto/s390x_arch.h >$(OPENSSL_PATH)/crypto/sparc_arch.h >$(OPENSSL_PATH)/crypto/vms_rms.h > - $(OPENSSL_PATH)/crypto/bn/bn_lcl.h > - $(OPENSSL_PATH)/crypto/bn/bn_prime.h > - $(OPENSSL_PATH)/crypto/bn/rsaz_exp.h > - $(OPENSSL_PATH)/crypto/ui/ui_locl.h > - $(OPENSSL_PATH)/crypto/md4/md4_locl.h > - $(OPENSSL_PATH)/crypto/rc4/rc4_locl.h > + $(OPENSSL_PATH)/crypto/aes/aes_locl.h >$(OPENSSL_PATH)/crypto/asn1/asn1_item_list.h >$(OPENSSL_PATH)/crypto/asn1/asn1_locl.h >$(OPENSSL_PATH)/crypto/asn1/charmap.h >$(OPENSSL_PATH)/crypto/asn1/standard_methods.h >$(OPENSSL_PATH)/crypto/asn1/tbl_standard.h > - $(OPENSSL_PATH)/crypto/evp/evp_locl.h > - $(OPENSSL_PATH)/crypto/rand/rand_lcl.h > - $(OPENSSL_PATH)/crypto/ocsp/ocsp_lcl.h > - $(OPENSSL_PATH)/crypto/modes/modes_lcl.h > - $(OPENSSL_PATH)/crypto/comp/comp_lcl.h > - $(OPENSSL_PATH)/crypto/rsa/rsa_locl.h > - $(OPENSSL_PATH)/crypto/x509/x509_lcl.h > + $(OPENSSL_PATH)/crypto/async/async_locl.h >$(OPENSSL_PATH)/crypto/async/arch/async_null.h >$(OPENSSL_PATH)/crypto/async/arch/async_posix.h >$(OPENSSL_PATH)/crypto/async/arch/async_win.h > - $(OPENSSL_PATH)/crypto/sm3/sm3_locl.h > + $(OPENSSL_PATH)/crypto/bio/bio_lcl.h > + $(OPENSSL_PATH)/crypto/bn/bn_lcl.h > + $(OPENSSL_PATH)/crypto/bn/bn_prime.h > + $(OPENSSL_PATH)/crypto/bn/rsaz_exp.h > + $(OPENSSL_PATH)/crypto/comp/comp_lcl.h > + $(OPENSSL_PATH)/crypto/conf/conf_def.h > + $(OPENSSL_PATH)/crypto/conf/conf_lcl.h >$(OPENSSL_PATH)/crypto/des/des_locl.h >$(OPENSSL_PATH)/crypto/des/spr.h > + $(OPENSSL_PATH)/crypto/dh/dh_locl.h > + $(OPENSSL_PATH)/crypto/dso/dso_locl.h > + $(OPENSSL_PATH)/crypto/evp/evp_locl.h > + $(OPENSSL_PATH)/crypto/hmac/hmac_lcl.h > + $(OPENSSL_PATH)/crypto/lhash/lhash_lcl.h > + $(OPENSSL_PATH)/crypto/md4/md4_locl.h > + $(OPENSSL_PATH)/crypto/md5/md5_locl.h > + $(OPENSSL_PATH)/crypto/modes/modes_lcl.h > + $(OPENSSL_PATH)/crypto/objects/obj_dat.h > + $(OPENSSL_PATH)/crypto/objects/obj_lcl.h > + $(OPENSSL_PATH)/crypto/objects/obj_xref.h > + $(OPENSSL_PATH)/crypto/ocsp/ocsp_lcl.h > + $(OPENSSL_PATH)/crypto/pkcs12/p12_lcl.h > + $(OPENSSL_PATH)/crypto/rand/rand_lcl.h > + $(OPENSSL_PATH)/crypto/rc4/rc4_locl.h > + $(OPENSSL_PATH)/crypto/rsa/rsa_locl.h > + $(OPENSSL_PATH)/crypto/sha/sha_locl.h >$(OPENSSL_PATH)/crypto/siphash/siphash_local.h > - $(OPENSSL_PATH)/crypto/aes/aes_locl.h > - $(OPENSSL_PATH)/crypto/async/async_locl.h > + $(OPENSSL_PATH)/crypto/sm3/sm3_locl.h > + $(OPENSSL_PATH)/crypto/store/store_locl.h > + $(OPENSSL_PATH)/crypto/ui/ui_locl.h > + $(OPENSSL_PATH)/crypto/x509/x509_lcl.h >$(OPENSSL_PATH)/crypto/x509v3/ext_dat.h >$(OPENSSL_PATH)/crypto/x509v3/pcy_int.h >$(OPENSSL_PATH)/crypto/x509v3/standard_exts.h >$(OPENSSL_PATH)/crypto/x509v3/v3_admis.h > - $(OPENSSL_PATH)/crypto/objects/obj_dat.h > - $(OPENSSL_PATH)/crypto/objects/obj_lcl.h > - $(OPENSSL_PATH)/crypto/objects/obj_xref.h >$(OPENSSL_PATH)/ssl/bio_ssl.c >
Re: [edk2-devel] [PATCH 6/9] SecurityPkg/DxeImageVerificationLib: Differentiate error and search result in IsCertHashFoundInDatabase(CVE-2019-14575)
Jiewen,
Thanks for the comments.
1) You're right. IsCertHashFoundInDatabase is quite general and cause
confusions between
db and dbx situation. Since it's not newly introduced in this patch series, do
you think it's ok
to fix it in separate patch series later? Or do you prefer fix it in this patch
series? I'm ok with
both.
2) I checked both code again. I think you're right. Both callings are for dbx,
any error Status
should be taken as IsFound(==TRUE). What about following change for the second
case?
Please help double check if any logic hole here.
Status = IsCertHashFoundInDatabase (...);
if (EFI_ERROR (Status) || IsFound) {
//
// Check the timestamp signature and signing time to determine if
the RootCert can be trusted.
//
VerifyStatus = PassTimestampCheck (AuthData, AuthDataSize,
);
if (!VerifyStatus) {
DEBUG ((...));
}
} else {
VerifyStatus = TRUE;
}
goto Done;
Regards,
Jian
> -Original Message-
> From: Yao, Jiewen
> Sent: Thursday, February 13, 2020 6:11 PM
> To: Wang, Jian J ; devel@edk2.groups.io
> Cc: Zhang, Chao B ; Laszlo Ersek
>
> Subject: RE: [PATCH 6/9] SecurityPkg/DxeImageVerificationLib: Differentiate
> error and search result in IsCertHashFoundInDatabase(CVE-2019-14575)
>
> Comment below:
>
> 1) I think the function name - IsCertHashFoundInDatabase() and the
> implementation { DbxList = SignatureList; DbxSize = SignatureListSize; }
> bring
> some confusion to me.
>
> If this is a *generic* database search function, I recommend we use a generic
> name - not use DbxList/DbxSize in the function implementation.
>
> If the input SignatureList of the function must be *Dbx*, I recommend we use
> IsCertHashFoundInDbx() as the function name.
>
> Either change is OK for me.
>
> 2) Now we have to check 2 output: Status and IsFound in
> IsCertHashFoundInDatabase().
>
> I am struggling to understand the different between 2 different ways of error
> handling:
>
> ===
> Status = IsCertHashFoundInDatabase (Cert, CertSize, (EFI_SIGNATURE_LIST
> *)Data, DataSize, , );
> if (EFI_ERROR (Status) || IsFound) {
> //
> // Check the timestamp signature and signing time to determine if the
> image
> can be trusted.
> //
> IsForbidden = TRUE;
> if (!EFI_ERROR (Status) && PassTimestampCheck (AuthData, AuthDataSize,
> )) {
> IsForbidden = FALSE;
>
>
> and
>
>
> VerifyStatus = FALSE;
> //
> // Here We still need to check if this RootCert's Hash is revoked
> //
> Status = IsCertHashFoundInDatabase (RootCert, RootCertSize,
> (EFI_SIGNATURE_LIST *)DbxData, DbxDataSize, , );
> if (EFI_ERROR (Status)) {
> goto Done;
> }
>
> if (!IsFound) {
> VerifyStatus = TRUE;
> goto Done;
> }
>
> //
> // Check the timestamp signature and signing time to determine if
> the
> RootCert can be trusted.
> //
> VerifyStatus = PassTimestampCheck (AuthData, AuthDataSize,
> );
> if (!VerifyStatus) {
> ===
>
> I *believe* the logic behind is same. If so, we can use a consistent way to
> check
> the 2 output and decide if PassTimestampCheck() is required.
>
> Or, can we create a one single function to perform such check for both
> IsCertHashFoundInDatabase() and PassTimestampCheck() ?
>
> If I am wrong, there is *difference* between them. Then I think we need much
> better description to help reviewer to catch the difference.
>
> Thank you
> Yao Jiewen
>
>
> > -Original Message-
> > From: Wang, Jian J
> > Sent: Thursday, February 6, 2020 10:20 PM
> > To: devel@edk2.groups.io
> > Cc: Yao, Jiewen ; Zhang, Chao B
> > ; Laszlo Ersek
> > Subject: [PATCH 6/9] SecurityPkg/DxeImageVerificationLib: Differentiate
> > error
> > and search result in IsCertHashFoundInDatabase(CVE-2019-14575)
> >
> > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608
> >
> > To avoid false-negative issue in check hash against dbx, both error
> > condition (as return value) and check result (as out parameter) of
> > IsCertHashFoundInDatabase() are added. So the caller of this function
> > will know exactly if a failure is caused by a black list hit or
> > other error happening, and enforce a more secure operation to prevent
> > secure boot from being bypassed. For a white list check (db), there's
> > no such necessity.
> >
> > Cc: Jiewen Yao
> > Cc: Chao Zhang
> > Signed-off-by: Jian J Wang
> > Signed-off-by: Laszlo Ersek
> > ---
> > .../DxeImageVerificationLib.c | 68 +++
> > 1 file changed, 41 insertions(+), 27 deletions(-)
> >
> > diff --git
Re: [edk2-devel] [PATCH v2 0/3] UefiCpuPkg/CpuFeature: Introduce First to indicate 1st unit.
Laszlo, I forgot to add you to CC list. Do you have any comments on the patch set? Thanks, Ray > -Original Message- > From: Dong, Eric > Sent: Thursday, February 13, 2020 4:04 PM > To: devel@edk2.groups.io; Ni, Ray > Subject: RE: [edk2-devel] [PATCH v2 0/3] UefiCpuPkg/CpuFeature: Introduce > First to indicate 1st unit. > > For the serial: Reviewed-by: Eric Dong > > -Original Message- > From: devel@edk2.groups.io On Behalf Of Ray Ni > Sent: Tuesday, November 26, 2019 2:16 PM > To: devel@edk2.groups.io > Subject: [edk2-devel] [PATCH v2 0/3] UefiCpuPkg/CpuFeature: Introduce First > to indicate 1st unit. > > Ray Ni (3): > UefiCpuPkg/RegisterCpuFeaturesLib: Delete CPU_FEATURE_[BEFORE|AFTER] > UefiCpuPkg/RegisterCpuFeaturesLib: Rename [Before|After]FeatureBitMask > UefiCpuPkg/CpuFeature: Introduce First to indicate 1st unit. > > .../Include/Library/RegisterCpuFeaturesLib.h | 49 +--- > .../CpuCommonFeaturesLib.c| 6 +- > .../CpuFeaturesInitialize.c | 74 +++ > .../RegisterCpuFeatures.h | 4 +- > .../RegisterCpuFeaturesLib.c | 74 ++- > 5 files changed, 158 insertions(+), 49 deletions(-) > > -- > 2.21.0.windows.1 > > > -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#54364): https://edk2.groups.io/g/devel/message/54364 Mute This Topic: https://groups.io/mt/61962263/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v2 0/3] Ovmf: enable TPM 1.2
Hi Lureau I don’t think we should expose the TPM Interface type via TpmCommandLib. That is the TPM device implementation. The TPM device might use TIS/FIFO/CRB, but there might be also other type such as I2C, or fTPM implementation type. To distinguish TPM2.0 or TPM1.2, the standard way is to send startup command. Thank you Yao Jiewen > -Original Message- > From: devel@edk2.groups.io On Behalf Of > marcandre.lur...@redhat.com > Sent: Thursday, February 13, 2020 9:12 PM > To: edk2-de...@lists.01.org; devel@edk2.groups.io > Cc: stef...@linux.ibm.com; ler...@redhat.com; simon.ha...@itdev.co.uk; > Marc-André Lureau > Subject: [edk2-devel] [PATCH v2 0/3] Ovmf: enable TPM 1.2 > > From: Marc-André Lureau > > Hi, > > The following patches add basic TPM 1.2 support for Ovmf/QEMU. > > I tested successfully Win10 with TIS/TPM 1.2 & CRB/TPM 2.0 > passthrough, and emulated CRB/TPM 2.0. > (fwiw, I haven't tried to enable TPM_CONFIG_ENABLE) > > Marc-André Lureau (3): > Ovmf: rename TPM2 config prefix to TPM > SecurityPkg: export Tpm12GetPtpInterfaceType() > Ovmf: enable TPM 1.2 support > > OvmfPkg/OvmfPkgIa32.dsc | 39 +-- > OvmfPkg/OvmfPkgIa32.fdf | 10 +++-- > OvmfPkg/OvmfPkgIa32X64.dsc| 39 +-- > OvmfPkg/OvmfPkgIa32X64.fdf| 10 +++-- > OvmfPkg/OvmfPkgX64.dsc| 39 +-- > OvmfPkg/OvmfPkgX64.fdf| 10 +++-- > OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf | 3 ++ > OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPeim.c | 17 +++- > SecurityPkg/Include/Library/Tpm12DeviceLib.h | 13 +++ > .../Library/Tpm12DeviceLibDTpm/Tpm12Tis.c | 17 > 10 files changed, 141 insertions(+), 56 deletions(-) > > -- > 2.25.0.rc2.1.g09a9a1a997 > > > -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#54363): https://edk2.groups.io/g/devel/message/54363 Mute This Topic: https://groups.io/mt/71240877/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v2 3/3] Ovmf: enable TPM 1.2 support
From: Marc-André Lureau
Enable TcgPei & TcgDxe modules to initialize a TPM 1.2 device and
measure boot environment.
Tpm12RequestUseTpm() returns success on any TPM interface, including
FIFO & CRB which are TPM 2.0. Check the actual interface with
Tpm12GetPtpInterfaceType(), and only detect 1.2 if it's a TIS.
Signed-off-by: Marc-André Lureau
---
OvmfPkg/OvmfPkgIa32.dsc | 15 +++
OvmfPkg/OvmfPkgIa32.fdf | 2 ++
OvmfPkg/OvmfPkgIa32X64.dsc | 15 +++
OvmfPkg/OvmfPkgIa32X64.fdf | 2 ++
OvmfPkg/OvmfPkgX64.dsc | 15 +++
OvmfPkg/OvmfPkgX64.fdf | 2 ++
OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf | 3 +++
OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPeim.c | 17 -
8 files changed, 70 insertions(+), 1 deletion(-)
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index 38b013ad9543..02300886563e 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -206,6 +206,7 @@
XenPlatformLib|OvmfPkg/Library/XenPlatformLib/XenPlatformLib.inf
!if $(TPM_ENABLE) == TRUE
+ Tpm12CommandLib|SecurityPkg/Library/Tpm12CommandLib/Tpm12CommandLib.inf
Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf
Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf
@@ -281,6 +282,7 @@
!if $(TPM_ENABLE) == TRUE
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
+ Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
!endif
@@ -361,6 +363,7 @@
MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf
QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf
!if $(TPM_ENABLE) == TRUE
+ Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf
Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
!endif
@@ -633,6 +636,7 @@
!if $(TPM_ENABLE) == TRUE
OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
+ SecurityPkg/Tcg/TcgPei/TcgPei.inf
SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf {
HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf
@@ -668,6 +672,7 @@
NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
!endif
!if $(TPM_ENABLE) == TRUE
+ NULL|SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf
NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf
!endif
}
@@ -926,5 +931,15 @@
}
!if $(TPM_CONFIG_ENABLE) == TRUE
SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
+!endif
+ SecurityPkg/Tcg/TcgDxe/TcgDxe.inf {
+
+
Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
+ }
+!if $(TPM_CONFIG_ENABLE) == TRUE
+ SecurityPkg/Tcg/TcgConfigDxe/TcgConfigDxe.inf {
+
+ PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
+ }
!endif
!endif
diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
index 2c7d6cccdfb0..b0ddc5a4ae73 100644
--- a/OvmfPkg/OvmfPkgIa32.fdf
+++ b/OvmfPkg/OvmfPkgIa32.fdf
@@ -161,6 +161,7 @@ INF UefiCpuPkg/CpuMpPei/CpuMpPei.inf
!if $(TPM_ENABLE) == TRUE
INF OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
+INF SecurityPkg/Tcg/TcgPei/TcgPei.inf
INF SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
!endif
@@ -347,6 +348,7 @@ INF
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
# TPM support
#
!if $(TPM_ENABLE) == TRUE
+INF SecurityPkg/Tcg/TcgDxe/TcgDxe.inf
INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
!if $(TPM_CONFIG_ENABLE) == TRUE
INF SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index e075f0766935..3adc75223d05 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -211,6 +211,7 @@
XenPlatformLib|OvmfPkg/Library/XenPlatformLib/XenPlatformLib.inf
!if $(TPM_ENABLE) == TRUE
+ Tpm12CommandLib|SecurityPkg/Library/Tpm12CommandLib/Tpm12CommandLib.inf
Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf
Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf
@@ -286,6 +287,7 @@
!if $(TPM_ENABLE) == TRUE
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
+ Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
!endif
@@ -366,6 +368,7 @@
MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf
QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf
!if $(TPM_ENABLE) == TRUE
+
[edk2-devel] [PATCH v2 1/3] Ovmf: rename TPM2 config prefix to TPM
From: Marc-André Lureau
A following patch is going to use the same configuration for TPM1.2
and TPM2.0, and it's simpler to support both than variable
configurations.
Signed-off-by: Marc-André Lureau
---
OvmfPkg/OvmfPkgIa32.dsc| 24
OvmfPkg/OvmfPkgIa32.fdf| 8
OvmfPkg/OvmfPkgIa32X64.dsc | 24
OvmfPkg/OvmfPkgIa32X64.fdf | 8
OvmfPkg/OvmfPkgX64.dsc | 24
OvmfPkg/OvmfPkgX64.fdf | 8
6 files changed, 48 insertions(+), 48 deletions(-)
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index 19728f20b34e..38b013ad9543 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -31,8 +31,8 @@
DEFINE SECURE_BOOT_ENABLE = FALSE
DEFINE SMM_REQUIRE = FALSE
DEFINE SOURCE_DEBUG_ENABLE = FALSE
- DEFINE TPM2_ENABLE = FALSE
- DEFINE TPM2_CONFIG_ENABLE = FALSE
+ DEFINE TPM_ENABLE = FALSE
+ DEFINE TPM_CONFIG_ENABLE = FALSE
#
# Network definition
@@ -205,7 +205,7 @@
XenHypercallLib|OvmfPkg/Library/XenHypercallLib/XenHypercallLib.inf
XenPlatformLib|OvmfPkg/Library/XenPlatformLib/XenPlatformLib.inf
-!if $(TPM2_ENABLE) == TRUE
+!if $(TPM_ENABLE) == TRUE
Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf
Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf
@@ -279,7 +279,7 @@
PcdLib|MdePkg/Library/PeiPcdLib/PeiPcdLib.inf
QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgPeiLib.inf
-!if $(TPM2_ENABLE) == TRUE
+!if $(TPM_ENABLE) == TRUE
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
!endif
@@ -360,7 +360,7 @@
PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf
MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf
QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf
-!if $(TPM2_ENABLE) == TRUE
+!if $(TPM_ENABLE) == TRUE
Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
!endif
@@ -575,12 +575,12 @@
gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00
-!if $(TPM2_ENABLE) == TRUE
+!if $(TPM_ENABLE) == TRUE
gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}
!endif
[PcdsDynamicHii]
-!if $(TPM2_ENABLE) == TRUE && $(TPM2_CONFIG_ENABLE) == TRUE
+!if $(TPM_ENABLE) == TRUE && $(TPM_CONFIG_ENABLE) == TRUE
gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS
gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableRev|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x8|3|NV,BS
!endif
@@ -631,7 +631,7 @@
!endif
UefiCpuPkg/CpuMpPei/CpuMpPei.inf
-!if $(TPM2_ENABLE) == TRUE
+!if $(TPM_ENABLE) == TRUE
OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf {
@@ -667,7 +667,7 @@
!if $(SECURE_BOOT_ENABLE) == TRUE
NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
!endif
-!if $(TPM2_ENABLE) == TRUE
+!if $(TPM_ENABLE) == TRUE
NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf
!endif
}
@@ -910,9 +910,9 @@
!endif
#
- # TPM2 support
+ # TPM support
#
-!if $(TPM2_ENABLE) == TRUE
+!if $(TPM_ENABLE) == TRUE
SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf {
Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf
@@ -924,7 +924,7 @@
NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
}
-!if $(TPM2_CONFIG_ENABLE) == TRUE
+!if $(TPM_CONFIG_ENABLE) == TRUE
SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
!endif
!endif
diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
index 63607551ed75..2c7d6cccdfb0 100644
--- a/OvmfPkg/OvmfPkgIa32.fdf
+++ b/OvmfPkg/OvmfPkgIa32.fdf
@@ -159,7 +159,7 @@ INF OvmfPkg/SmmAccess/SmmAccessPei.inf
!endif
INF UefiCpuPkg/CpuMpPei/CpuMpPei.inf
-!if $(TPM2_ENABLE) == TRUE
+!if $(TPM_ENABLE) == TRUE
INF OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
INF SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
!endif
@@ -344,11 +344,11 @@ INF
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
!endif
#
-# TPM2 support
+# TPM support
#
-!if $(TPM2_ENABLE) == TRUE
+!if $(TPM_ENABLE) == TRUE
INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
-!if $(TPM2_CONFIG_ENABLE) == TRUE
+!if $(TPM_CONFIG_ENABLE) == TRUE
INF SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
!endif
!endif
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
[edk2-devel] [PATCH 1/1] NetworkPkg/ArpDxe: Recycle invalid ARP packets(CVE-2019-14559).
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2031
This patch triggers the RecycleEvent for invalid ARP packets.
Prior to this, we would just ignore invalid ARP packets,
and never free them.
Cc: Jiaxin Wu
Cc: Maciej Rabeda
Cc: Siyuan Fu
Signed-off-by: Nicholas Armour
---
NetworkPkg/ArpDxe/ArpImpl.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/NetworkPkg/ArpDxe/ArpImpl.c b/NetworkPkg/ArpDxe/ArpImpl.c
index 9cdb33f2bd66..09fc8811f125 100644
--- a/NetworkPkg/ArpDxe/ArpImpl.c
+++ b/NetworkPkg/ArpDxe/ArpImpl.c
@@ -125,6 +125,7 @@ ArpOnFrameRcvdDpc (
Head->OpCode= NTOHS (Head->OpCode);
if (RxData->DataLength < (sizeof (ARP_HEAD) + 2 * Head->HwAddrLen + 2 *
Head->ProtoAddrLen)) {
+gBS->SignalEvent (RxData->RecycleEvent);
goto RESTART_RECEIVE;
}
--
2.16.2.windows.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#54361): https://edk2.groups.io/g/devel/message/54361
Mute This Topic: https://groups.io/mt/71240876/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v2 0/3] Ovmf: enable TPM 1.2
From: Marc-André Lureau Hi, The following patches add basic TPM 1.2 support for Ovmf/QEMU. I tested successfully Win10 with TIS/TPM 1.2 & CRB/TPM 2.0 passthrough, and emulated CRB/TPM 2.0. (fwiw, I haven't tried to enable TPM_CONFIG_ENABLE) Marc-André Lureau (3): Ovmf: rename TPM2 config prefix to TPM SecurityPkg: export Tpm12GetPtpInterfaceType() Ovmf: enable TPM 1.2 support OvmfPkg/OvmfPkgIa32.dsc | 39 +-- OvmfPkg/OvmfPkgIa32.fdf | 10 +++-- OvmfPkg/OvmfPkgIa32X64.dsc| 39 +-- OvmfPkg/OvmfPkgIa32X64.fdf| 10 +++-- OvmfPkg/OvmfPkgX64.dsc| 39 +-- OvmfPkg/OvmfPkgX64.fdf| 10 +++-- OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf | 3 ++ OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPeim.c | 17 +++- SecurityPkg/Include/Library/Tpm12DeviceLib.h | 13 +++ .../Library/Tpm12DeviceLibDTpm/Tpm12Tis.c | 17 10 files changed, 141 insertions(+), 56 deletions(-) -- 2.25.0.rc2.1.g09a9a1a997 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#54362): https://edk2.groups.io/g/devel/message/54362 Mute This Topic: https://groups.io/mt/71240877/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v2 2/3] SecurityPkg: export Tpm12GetPtpInterfaceType()
From: Marc-André Lureau
Signed-off-by: Marc-André Lureau
---
SecurityPkg/Include/Library/Tpm12DeviceLib.h| 13 +
.../Library/Tpm12DeviceLibDTpm/Tpm12Tis.c | 17 ++---
2 files changed, 23 insertions(+), 7 deletions(-)
diff --git a/SecurityPkg/Include/Library/Tpm12DeviceLib.h
b/SecurityPkg/Include/Library/Tpm12DeviceLib.h
index eac7885ca3d8..bcdfbdac76b5 100644
--- a/SecurityPkg/Include/Library/Tpm12DeviceLib.h
+++ b/SecurityPkg/Include/Library/Tpm12DeviceLib.h
@@ -11,6 +11,13 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include
+typedef enum {
+ PtpInterfaceTis,
+ PtpInterfaceFifo,
+ PtpInterfaceCrb,
+ PtpInterfaceMax,
+} PTP_INTERFACE_TYPE;
+
/**
This service enables the sending of commands to the TPM12.
@@ -45,4 +52,10 @@ Tpm12RequestUseTpm (
VOID
);
+EFIAPI
+PTP_INTERFACE_TYPE
+Tpm12GetPtpInterfaceType (
+ VOID
+ );
+
#endif
diff --git a/SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12Tis.c
b/SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12Tis.c
index 1caa076203ba..381915130b7f 100644
--- a/SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12Tis.c
+++ b/SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12Tis.c
@@ -15,18 +15,12 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include
#include
#include
+#include
#include
#include
#include
-typedef enum {
- PtpInterfaceTis,
- PtpInterfaceFifo,
- PtpInterfaceCrb,
- PtpInterfaceMax,
-} PTP_INTERFACE_TYPE;
-
//
// Max TPM command/reponse length
//
@@ -542,3 +536,12 @@ Tpm12RequestUseTpm (
return EFI_NOT_FOUND;
}
}
+
+EFIAPI
+PTP_INTERFACE_TYPE
+Tpm12GetPtpInterfaceType (
+ VOID
+ )
+{
+ return Tpm12GetPtpInterface ((VOID *) (UINTN) PcdGet64 (PcdTpmBaseAddress));
+}
--
2.25.0.rc2.1.g09a9a1a997
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#54359): https://edk2.groups.io/g/devel/message/54359
Mute This Topic: https://groups.io/mt/71240874/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v2 1/1] MdePkg: Add PCCT table signature definition
Push @a67efa3b22113cc9b52f8e56e50466d6da0ab11e
> -Original Message-
> From: devel@edk2.groups.io On Behalf Of Liming Gao
> Sent: Thursday, February 13, 2020 8:59 AM
> To: Krzysztof Koch ; devel@edk2.groups.io
> Cc: Kinney, Michael D ; matteo.carl...@arm.com;
> sami.muja...@arm.com; n...@arm.com
> Subject: Re: [edk2-devel] [PATCH v2 1/1] MdePkg: Add PCCT table signature
> definition
>
> Reviewed-by: Liming Gao
>
> > -Original Message-
> > From: Krzysztof Koch
> > Sent: Thursday, February 13, 2020 1:28 AM
> > To: devel@edk2.groups.io
> > Cc: Kinney, Michael D ; Gao, Liming
> > ; matteo.carl...@arm.com;
> > sami.muja...@arm.com; n...@arm.com
> > Subject: [PATCH v2 1/1] MdePkg: Add PCCT table signature definition
> >
> > The Platform Communications Channel Table (PCCT) was defined in:
> > ACPI Specification Version 5.0, Errata A - Published Nov. 13, 2013.
> >
> > Starting from the Acpi50.h header file, there are definitions
> > describing the table but a macro with the table's signature is missing.
> >
> > This patch adds the definition of Platform Communications Channel
> > Table's signature to the relevant ACPI header files.
> >
> > Signed-off-by: Krzysztof Koch
> > ---
> >
> > Changes can be seen at:
> > https://github.com/KrzysztofKoch1/edk2/tree/617_add_pcct_signature_def_v2
> >
> > Notes:
> > v2:
> > - Replicate the definition from Acpi50.h onwards [Liming]
> >
> > v1:
> > - Add definition of PCCT table signature [Krzysztof]
> >
> > MdePkg/Include/IndustryStandard/Acpi50.h | 6 ++
> > MdePkg/Include/IndustryStandard/Acpi51.h | 6 ++
> > MdePkg/Include/IndustryStandard/Acpi60.h | 6 ++
> > MdePkg/Include/IndustryStandard/Acpi61.h | 6 ++
> > MdePkg/Include/IndustryStandard/Acpi62.h | 6 ++
> > MdePkg/Include/IndustryStandard/Acpi63.h | 7 ++-
> > 6 files changed, 36 insertions(+), 1 deletion(-)
> >
> > diff --git a/MdePkg/Include/IndustryStandard/Acpi50.h
> > b/MdePkg/Include/IndustryStandard/Acpi50.h
> > index
> > 46dcdb950741020420a5695a8577dde5ac409ed7..31a47e6a2c4276d5b1ad7b834af84844090b64c5
> > 100644
> > --- a/MdePkg/Include/IndustryStandard/Acpi50.h
> > +++ b/MdePkg/Include/IndustryStandard/Acpi50.h
> > @@ -3,6 +3,7 @@
> >
> >Copyright (c) 2014 Hewlett-Packard Development Company, L.P.
> >Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.
> > + Copyright (c) 2020, ARM Ltd. All rights reserved.
> >SPDX-License-Identifier: BSD-2-Clause-Patent
> > **/
> >
> > @@ -2057,6 +2058,11 @@ typedef struct {
> > ///
> > #define EFI_ACPI_5_0_DATA_MANAGEMENT_TABLE_SIGNATURE SIGNATURE_32('M',
> > 'S', 'D', 'M')
> >
> > +///
> > +/// "PCCT" Platform Communications Channel Table
> > +///
> > +#define EFI_ACPI_5_0_PLATFORM_COMMUNICATIONS_CHANNEL_TABLE_SIGNATURE
> > SIGNATURE_32('P', 'C', 'C', 'T')
> > +
> > ///
> > /// "SLIC" MS Software Licensing Table Specification
> > ///
> > diff --git a/MdePkg/Include/IndustryStandard/Acpi51.h
> > b/MdePkg/Include/IndustryStandard/Acpi51.h
> > index
> > 0132f25de8ce945135714e59b4b9e5bd286b2c22..fc28ffa18fc6a22e52fda88fade6ad80b2817cc3
> > 100644
> > --- a/MdePkg/Include/IndustryStandard/Acpi51.h
> > +++ b/MdePkg/Include/IndustryStandard/Acpi51.h
> > @@ -4,6 +4,7 @@
> >Copyright (c) 2014 Hewlett-Packard Development Company, L.P.
> >Copyright (c) 2014 - 2018, Intel Corporation. All rights reserved.
> >(C) Copyright 2015 Hewlett Packard Enterprise Development LP
> > + Copyright (c) 2020, ARM Ltd. All rights reserved.
> >SPDX-License-Identifier: BSD-2-Clause-Patent
> > **/
> >
> > @@ -2078,6 +2079,11 @@ typedef struct {
> > ///
> > #define EFI_ACPI_5_1_DATA_MANAGEMENT_TABLE_SIGNATURE SIGNATURE_32('M',
> > 'S', 'D', 'M')
> >
> > +///
> > +/// "PCCT" Platform Communications Channel Table
> > +///
> > +#define EFI_ACPI_5_1_PLATFORM_COMMUNICATIONS_CHANNEL_TABLE_SIGNATURE
> > SIGNATURE_32('P', 'C', 'C', 'T')
> > +
> > ///
> > /// "SLIC" MS Software Licensing Table Specification
> > ///
> > diff --git a/MdePkg/Include/IndustryStandard/Acpi60.h
> > b/MdePkg/Include/IndustryStandard/Acpi60.h
> > index
> > 94a30a81b369d96dc83dce7aa1e274ef54b315aa..5dcd73b6f1ec4bccc7fdae7d56c2963ab58764f9
> > 100644
> > --- a/MdePkg/Include/IndustryStandard/Acpi60.h
> > +++ b/MdePkg/Include/IndustryStandard/Acpi60.h
> > @@ -3,6 +3,7 @@
> >
> >Copyright (c) 2015 - 2018, Intel Corporation. All rights reserved.
> >(C) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
> > + Copyright (c) 2020, ARM Ltd. All rights reserved.
> >SPDX-License-Identifier: BSD-2-Clause-Patent
> > **/
> >
> > @@ -2321,6 +2322,11 @@ typedef struct {
> > ///
> > #define EFI_ACPI_6_0_DATA_MANAGEMENT_TABLE_SIGNATURE SIGNATURE_32('M',
> > 'S', 'D', 'M')
> >
> > +///
> > +/// "PCCT" Platform Communications Channel Table
> > +///
> > +#define EFI_ACPI_6_0_PLATFORM_COMMUNICATIONS_CHANNEL_TABLE_SIGNATURE
> > SIGNATURE_32('P', 'C', 'C', 'T')
> > +
> > ///
> > /// "SLIC"
Re: [edk2-devel] [PATCH 14/19] Silicon/NXP/LS1043A: Replce SocLib
> -Original Message- > From: Leif Lindholm > Sent: Thursday, February 13, 2020 4:20 AM > To: Pankaj Bansal > Cc: Meenakshi Aggarwal ; Michael D Kinney > ; Varun Sethi ; > devel@edk2.groups.io > Subject: Re: [PATCH 14/19] Silicon/NXP/LS1043A: Replce SocLib > > On Wed, Feb 12, 2020 at 09:37:30 +, Pankaj Bansal wrote: > > > > > > > -Original Message- > > > From: Leif Lindholm > > > Sent: Tuesday, February 11, 2020 7:05 PM > > > To: Pankaj Bansal > > > Cc: Meenakshi Aggarwal ; Michael D > > > Kinney ; Varun Sethi ; > > > devel@edk2.groups.io > > > Subject: Re: [PATCH 14/19] Silicon/NXP/LS1043A: Replce SocLib > > > > > > On Fri, Feb 07, 2020 at 18:13:23 +0530, Pankaj Bansal wrote: > > > > Replace SocLib with new SocLib in which code structure has been > > > > changed. > > > > > > I don't think there's much point to me reviewing this one until > > > we've discussed the ChassisLib/SocLib split and layout in more detail. > > > > Let me explain the code layout. > > A Chassis is a base framework used for building SoCs. > > All NXP Layerscape SOCs like LS1043A, LS1046A, LS2088A, LX2160A are part of > some chassis. > > e.g. LS1043A conforms to Chassis 2.x > > LX2160A conforms to Chassis 3.2 > > > > We can think of Chassis/Soc/Platform(a.k.a Borad) in Oops terms. > > Chassis is base. Soc Is derived from Chassis. Platform is derived from Soc. > > Right. This is what confused me. > I was thinking "chassis" more along the lines of > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fen.wikip > edia.org%2Fwiki%2FChassis_Management_Controllerdata=02%7C01%7C > pankaj.bansal%40nxp.com%7C40f5669720214fb025c708d7b00df071%7C686ea > 1d3bc2b4c6fa92cd99c5c301635%7C0%7C0%7C637171446229288672sda > ta=QJfj0eslQDGR8Jwflda%2BdmgnYa3f87iJelHGA37SpVk%3Dreserved=0 > > You're talking about the ... bits that remain the same on migrating the > processors from PPC to ARM? I am not sure if the concept of Chassis was there in PPC or not? It's just the way the SOCs are designed. SOCs that are designed around same chassis, reuse most of the components. It cuts down on s/w development time, because most of the s/w can be reused. > > > We have kept the code also in such a way. Which is why we have made > > Soc Package part of Chassis Package. > > > > SocLib provides services to PlatformLib. ChassisLib provides services > > to SocLib. > > Which is why we have made SocGetMpCoreInfo as weak function and > > implemented it in ChassisLib (Patch 11/19) This ensures that code can > > be reused for all SOCs belonging to same chassis. > > If any future SOC implements this feature in different way, then this > > API can be overwritten in SocLib > > > > SOCs belonging to same Chassis share many same traits. > > e.g. the SOC memory map is usually common for all SOCs belonging to > > same Chassis. > > OK, this sounds valid. But one follow-up question: why add the hierarchy at > all? > From a (human) discoverability standpoint, if someone is looking for the code > for a specific SoC, they will be looking for that SoC, not some abstraction > of it. > > So I agree it makes sense that chassis are not kept under SoC, but I am > asking if > it would not make more sense to keep them on the same level? > Any SoCs depending on Pcds defined by a specific chassis could access those by > importing the package fr that chassis. > Hmm. This can be done. We can make Silicon/NXP/Chassis2 and Silicon/NXP/LS1043A. > Regards, > > Leif > > > > > > > / > > > Leif > > > > > > > Signed-off-by: Pankaj Bansal > > > > --- > > > > .../Drivers/PlatformDxe/PlatformDxe.inf | 3 +- > > > > Platform/NXP/LS1043aRdbPkg/LS1043aRdbPkg.dsc | 3 +- > > > > .../Library/ArmPlatformLib/ArmPlatformLib.c | 53 ++- > > > > .../Library/ArmPlatformLib/ArmPlatformLib.inf | 6 +- > > > > Silicon/NXP/Chassis2/Include/Chassis.h| 12 ++ > > > > Silicon/NXP/Chassis2/LS1043A/LS1043A.dsc.inc | 1 + > > > > .../Chassis2/LS1043A/Library/SocLib/SocLib.c | 28 > > > > .../LS1043A/Library/SocLib/SocLib.inf | 8 ++ > > > > .../Chassis2/Library/ChassisLib/ChassisLib.c | 25 > > > > Silicon/NXP/Drivers/I2cDxe/I2cDxe.c | 2 +- > > > > Silicon/NXP/Drivers/I2cDxe/I2cDxe.h | 7 +- > > > > Silicon/NXP/Include/Chassis2/NxpSoc.h | 53 --- > > > > Silicon/NXP/Include/Library/ChassisLib.h | 2 - > > > > Silicon/NXP/Include/Library/SocLib.h | 1 - > > > > Silicon/NXP/LS1043A/Include/Soc.h | 44 -- > > > > Silicon/NXP/LS1043A/LS1043A.dec | 16 --- > > > > Silicon/NXP/LS1043A/LS1043A.dsc.inc | 33 - > > > > .../BaseSerialPortLib16550.c | 11 +- > > > > .../BaseSerialPortLib16550.inf| 3 +- > > > > Silicon/NXP/Library/SocLib/Chassis.c | 76 -- > > > > Silicon/NXP/Library/SocLib/Chassis2/Soc.c | 96 - > > > >
Re: [edk2-devel] [PATCH 3/3] SecurityPkg: Issues reported by ECC in EDK2.
Reviewed-by: Jiewen Yao > -Original Message- > From: devel@edk2.groups.io On Behalf Of GuoMinJ > Sent: Thursday, February 13, 2020 4:34 PM > To: devel@edk2.groups.io > Cc: GuoMinJ > Subject: [edk2-devel] [PATCH 3/3] SecurityPkg: Issues reported by ECC in EDK2. > > https://bugzilla.tianocore.org/show_bug.cgi?id=2515 > > Change the SecurityPkg to match the ECC check rule > > Signed-off-by: GuoMinJ > --- > SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c | 4 ++-- > SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c | 4 ++-- > 2 files changed, 4 insertions(+), 4 deletions(-) > > diff --git a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c > b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c > index 1fe1955cab..9a5f987e68 100644 > --- a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c > +++ b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c > @@ -772,7 +772,7 @@ Tcg2GetEventLog ( >return EFI_SUCCESS; > } > > -/* > +/** >Return if this is a Tcg800155PlatformIdEvent. > >@param[in] NewEventHdr Pointer to a > TCG_PCR_EVENT_HDR/TCG_PCR_EVENT_EX data structure. > @@ -783,7 +783,7 @@ Tcg2GetEventLog ( >@retval TRUE This is a Tcg800155PlatformIdEvent. >@retval FALSE This is NOT a Tcg800155PlatformIdEvent. > > -*/ > +**/ > BOOLEAN > Is800155Event ( >IN VOID *NewEventHdr, > diff --git a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c > b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c > index 7e94a8e1ed..4852d86906 100644 > --- a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c > +++ b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c > @@ -460,7 +460,7 @@ MeasureCRTMVersion ( > ); > } > > -/* > +/** >Get the FvName from the FV header. > >Causion: The FV is untrusted input. > @@ -470,7 +470,7 @@ MeasureCRTMVersion ( > >@return FvName pointer >@retval NULL FvName is NOT found > -*/ > +**/ > VOID * > GetFvName ( >IN EFI_PHYSICAL_ADDRESS FvBase, > -- > 2.17.1 > > > -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#54355): https://edk2.groups.io/g/devel/message/54355 Mute This Topic: https://groups.io/mt/71236337/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH 9/9] SecurityPkg/DxeImageVerificationLib: Differentiate error and search result in IsSignatureFoundInDatabase(CVE-2019-14575)
Reviewed-by: Jiewen Yao
> -Original Message-
> From: Wang, Jian J
> Sent: Thursday, February 6, 2020 10:20 PM
> To: devel@edk2.groups.io
> Cc: Yao, Jiewen ; Zhang, Chao B
>
> Subject: [PATCH 9/9] SecurityPkg/DxeImageVerificationLib: Differentiate error
> and search result in IsSignatureFoundInDatabase(CVE-2019-14575)
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608
>
> To avoid false-negative issue in check hash against dbx, both error
> condition (as return value) and check result (as out parameter) of
> IsSignatureFoundInDatabase() are added. So the caller of this function
> will know exactly if a failure is caused by a black list hit or
> other error happening, and enforce a more secure operation to prevent
> secure boot from being bypassed. For a white list check (db), there's
> no such necessity.
>
> All intermediate results inside this function will be checked and
> returned immediately upon any failure or error, like out-of-resource,
> hash calculation error or certificate retrieval failure.
>
> Cc: Jiewen Yao
> Cc: Chao Zhang
> Signed-off-by: Jian J Wang
> ---
> .../DxeImageVerificationLib.c | 77 ++-
> 1 file changed, 58 insertions(+), 19 deletions(-)
>
> diff --git
> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> index 5b7a67f811..8e599ca0be 100644
> --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> @@ -955,17 +955,19 @@ Done:
>@param[in] Signature Pointer to signature that is searched for.
>
>@param[in] CertTypePointer to hash algorithm.
>
>@param[in] SignatureSize Size of Signature.
>
> + @param[out] IsFound Search result. Only valid if EFI_SUCCESS
> returned
>
>
>
> - @return TRUEFound the signature in the variable
> database.
>
> - @return FALSE Not found the signature in the variable
> database.
>
> + @retval EFI_SUCCESS Finished the search without any error.
>
> + @retval Others Error occurred in the search of database.
>
>
>
> **/
>
> -BOOLEAN
>
> +EFI_STATUS
>
> IsSignatureFoundInDatabase (
>
> - IN CHAR16 *VariableName,
>
> - IN UINT8 *Signature,
>
> - IN EFI_GUID *CertType,
>
> - IN UINTN SignatureSize
>
> + IN CHAR16*VariableName,
>
> + IN UINT8 *Signature,
>
> + IN EFI_GUID *CertType,
>
> + IN UINTN SignatureSize,
>
> + OUT BOOLEAN *IsFound
>
>)
>
> {
>
>EFI_STATUS Status;
>
> @@ -975,22 +977,28 @@ IsSignatureFoundInDatabase (
>UINT8 *Data;
>
>UINTN Index;
>
>UINTN CertCount;
>
> - BOOLEAN IsFound;
>
>
>
>//
>
>// Read signature database variable.
>
>//
>
> - IsFound = FALSE;
>
> + *IsFound = FALSE;
>
>Data = NULL;
>
>DataSize = 0;
>
>Status= gRT->GetVariable (VariableName, ,
> NULL, , NULL);
>
>if (Status != EFI_BUFFER_TOO_SMALL) {
>
> -return FALSE;
>
> +if (Status == EFI_NOT_FOUND) {
>
> + //
>
> + // No database, no need to search.
>
> + //
>
> + Status = EFI_SUCCESS;
>
> +}
>
> +
>
> +return Status;
>
>}
>
>
>
>Data = (UINT8 *) AllocateZeroPool (DataSize);
>
>if (Data == NULL) {
>
> -return FALSE;
>
> +return EFI_OUT_OF_RESOURCES;
>
>}
>
>
>
>Status = gRT->GetVariable (VariableName, ,
> NULL, , Data);
>
> @@ -1010,7 +1018,7 @@ IsSignatureFoundInDatabase (
>//
>
>// Find the signature in database.
>
>//
>
> - IsFound = TRUE;
>
> + *IsFound = TRUE;
>
>//
>
>// Entries in UEFI_IMAGE_SECURITY_DATABASE that are used to
> validate
> image should be measured
>
>//
>
> @@ -1023,7 +1031,7 @@ IsSignatureFoundInDatabase (
> Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) Cert +
> CertList->SignatureSize);
>
>}
>
>
>
> - if (IsFound) {
>
> + if (*IsFound) {
>
> break;
>
>}
>
> }
>
> @@ -1037,7 +1045,7 @@ Done:
> FreePool (Data);
>
>}
>
>
>
> - return IsFound;
>
> + return Status;
>
> }
>
>
>
> /**
>
> @@ -1642,6 +1650,8 @@ DxeImageVerificationHandler (
>CHAR16 *NameStr;
>
>RETURN_STATUSPeCoffStatus;
>
>EFI_STATUS HashStatus;
>
> + EFI_STATUS DbStatus;
>
> + BOOLEAN IsFound;
>
>
>
>SignatureList = NULL;
>
>SignatureListSize = 0;
>
> @@ -1650,7 +1660,7 @@ DxeImageVerificationHandler (
>
Re: [edk2-devel] [PATCH 8/9] SecurityPkg/DxeImageVerificationLib: plug Data leak in IsForbiddenByDbx()(CVE-2019-14575)
Reviewed-by: Jiewen Yao
> -Original Message-
> From: Wang, Jian J
> Sent: Thursday, February 6, 2020 10:20 PM
> To: devel@edk2.groups.io
> Cc: Laszlo Ersek ; Yao, Jiewen ;
> Zhang, Chao B
> Subject: [PATCH 8/9] SecurityPkg/DxeImageVerificationLib: plug Data leak in
> IsForbiddenByDbx()(CVE-2019-14575)
>
> From: Laszlo Ersek
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608
>
> If the second GetVariable() call for "dbx" fails, in IsForbiddenByDbx(),
> we have to free Data. Jump to "Done" for that.
>
> Cc: Jiewen Yao
> Cc: Chao Zhang
> Signed-off-by: Laszlo Ersek
> ---
> .../Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git
> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> index 2236ce98ce..5b7a67f811 100644
> --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> @@ -1274,7 +1274,7 @@ IsForbiddenByDbx (
>
>
>Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1,
> , NULL, , (VOID *) Data);
>
>if (EFI_ERROR (Status)) {
>
> -return IsForbidden;
>
> +goto Done;
>
>}
>
>
>
>//
>
> --
> 2.24.0.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#54353): https://edk2.groups.io/g/devel/message/54353
Mute This Topic: https://groups.io/mt/71023426/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH 7/9] SecurityPkg/DxeImageVerificationLib: tighten default result of IsForbiddenByDbx()(CVE-2019-14575)
Reviewed-by: Jiewen Yao
> -Original Message-
> From: Wang, Jian J
> Sent: Thursday, February 6, 2020 10:20 PM
> To: devel@edk2.groups.io
> Cc: Yao, Jiewen ; Zhang, Chao B
> ; Laszlo Ersek
> Subject: [PATCH 7/9] SecurityPkg/DxeImageVerificationLib: tighten default
> result of IsForbiddenByDbx()(CVE-2019-14575)
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608
>
> All intermediate results inside this function will be checked and
> returned immediately upon any failure or error, like out-of-resource,
> hash calculation error or certificate retrieval failure.
>
> Cc: Jiewen Yao
> Cc: Chao Zhang
> Signed-off-by: Jian J Wang
> Signed-off-by: Laszlo Ersek
> ---
> .../DxeImageVerificationLib/DxeImageVerificationLib.c | 11 ++-
> 1 file changed, 10 insertions(+), 1 deletion(-)
>
> diff --git
> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> index a5dfee0f8e..2236ce98ce 100644
> --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> @@ -1240,7 +1240,7 @@ IsForbiddenByDbx (
>//
>
>// Variable Initialization
>
>//
>
> - IsForbidden = FALSE;
>
> + IsForbidden = TRUE;
>
>Data = NULL;
>
>CertList = NULL;
>
>CertData = NULL;
>
> @@ -1257,7 +1257,14 @@ IsForbiddenByDbx (
>//
>
>DataSize = 0;
>
>Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1,
> , NULL, , NULL);
>
> + ASSERT (EFI_ERROR (Status));
>
>if (Status != EFI_BUFFER_TOO_SMALL) {
>
> +if (Status == EFI_NOT_FOUND) {
>
> + //
>
> + // Evidently not in dbx if the database doesn't exist.
>
> + //
>
> + IsForbidden = FALSE;
>
> +}
>
> return IsForbidden;
>
>}
>
>Data = (UINT8 *) AllocateZeroPool (DataSize);
>
> @@ -1366,6 +1373,8 @@ IsForbiddenByDbx (
>
>
>}
>
>
>
> + IsForbidden = FALSE;
>
> +
>
> Done:
>
>if (Data != NULL) {
>
> FreePool (Data);
>
> --
> 2.24.0.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#54352): https://edk2.groups.io/g/devel/message/54352
Mute This Topic: https://groups.io/mt/71023425/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH 6/9] SecurityPkg/DxeImageVerificationLib: Differentiate error and search result in IsCertHashFoundInDatabase(CVE-2019-14575)
Comment below:
1) I think the function name - IsCertHashFoundInDatabase() and the
implementation { DbxList = SignatureList; DbxSize = SignatureListSize; }
bring some confusion to me.
If this is a *generic* database search function, I recommend we use a generic
name - not use DbxList/DbxSize in the function implementation.
If the input SignatureList of the function must be *Dbx*, I recommend we use
IsCertHashFoundInDbx() as the function name.
Either change is OK for me.
2) Now we have to check 2 output: Status and IsFound in
IsCertHashFoundInDatabase().
I am struggling to understand the different between 2 different ways of error
handling:
===
Status = IsCertHashFoundInDatabase (Cert, CertSize, (EFI_SIGNATURE_LIST
*)Data, DataSize, , );
if (EFI_ERROR (Status) || IsFound) {
//
// Check the timestamp signature and signing time to determine if the
image can be trusted.
//
IsForbidden = TRUE;
if (!EFI_ERROR (Status) && PassTimestampCheck (AuthData, AuthDataSize,
)) {
IsForbidden = FALSE;
and
VerifyStatus = FALSE;
//
// Here We still need to check if this RootCert's Hash is revoked
//
Status = IsCertHashFoundInDatabase (RootCert, RootCertSize,
(EFI_SIGNATURE_LIST *)DbxData, DbxDataSize, , );
if (EFI_ERROR (Status)) {
goto Done;
}
if (!IsFound) {
VerifyStatus = TRUE;
goto Done;
}
//
// Check the timestamp signature and signing time to determine if
the RootCert can be trusted.
//
VerifyStatus = PassTimestampCheck (AuthData, AuthDataSize,
);
if (!VerifyStatus) {
===
I *believe* the logic behind is same. If so, we can use a consistent way to
check the 2 output and decide if PassTimestampCheck() is required.
Or, can we create a one single function to perform such check for both
IsCertHashFoundInDatabase() and PassTimestampCheck() ?
If I am wrong, there is *difference* between them. Then I think we need much
better description to help reviewer to catch the difference.
Thank you
Yao Jiewen
> -Original Message-
> From: Wang, Jian J
> Sent: Thursday, February 6, 2020 10:20 PM
> To: devel@edk2.groups.io
> Cc: Yao, Jiewen ; Zhang, Chao B
> ; Laszlo Ersek
> Subject: [PATCH 6/9] SecurityPkg/DxeImageVerificationLib: Differentiate error
> and search result in IsCertHashFoundInDatabase(CVE-2019-14575)
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608
>
> To avoid false-negative issue in check hash against dbx, both error
> condition (as return value) and check result (as out parameter) of
> IsCertHashFoundInDatabase() are added. So the caller of this function
> will know exactly if a failure is caused by a black list hit or
> other error happening, and enforce a more secure operation to prevent
> secure boot from being bypassed. For a white list check (db), there's
> no such necessity.
>
> Cc: Jiewen Yao
> Cc: Chao Zhang
> Signed-off-by: Jian J Wang
> Signed-off-by: Laszlo Ersek
> ---
> .../DxeImageVerificationLib.c | 68 +++
> 1 file changed, 41 insertions(+), 27 deletions(-)
>
> diff --git
> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> index 8739d1fa29..a5dfee0f8e 100644
> --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> @@ -822,22 +822,23 @@ AddImageExeInfo (
>@param[in] SignatureList Pointer to the Signature List in forbidden
> database.
>
>@param[in] SignatureListSize Size of Signature List.
>
>@param[out] RevocationTimeReturn the time that the certificate was
> revoked.
>
> + @param[out] IsFound Search result. Only valid if EFI_SUCCESS
> returned.
>
>
>
> - @return TRUE The certificate hash is found in the forbidden database.
>
> - @return FALSE The certificate hash is not found in the forbidden database.
>
> + @retval EFI_SUCCESS Finished the search without any error.
>
> + @retval OthersError occurred in the search of database.
>
>
>
> **/
>
> -BOOLEAN
>
> +EFI_STATUS
>
> IsCertHashFoundInDatabase (
>
>IN UINT8 *Certificate,
>
>IN UINTN CertSize,
>
>IN EFI_SIGNATURE_LIST *SignatureList,
>
>IN UINTN SignatureListSize,
>
> - OUT EFI_TIME*RevocationTime
>
> + OUT EFI_TIME*RevocationTime,
>
> + OUT BOOLEAN *IsFound
>
>)
>
> {
>
> - BOOLEAN IsFound;
>
> - BOOLEAN Status;
>
> + EFI_STATUS Status;
>
>EFI_SIGNATURE_LIST
Re: [edk2-devel] [PATCH 5/9] SecurityPkg/DxeImageVerificationLib: refactor db/dbx fetching code in IsAllowedByDb(CVE-2019-14575)
Good enhancement.
Reviewed-by: Jiewen Yao
> -Original Message-
> From: Wang, Jian J
> Sent: Thursday, February 6, 2020 10:19 PM
> To: devel@edk2.groups.io
> Cc: Yao, Jiewen ; Zhang, Chao B
>
> Subject: [PATCH 5/9] SecurityPkg/DxeImageVerificationLib: refactor db/dbx
> fetching code in IsAllowedByDb(CVE-2019-14575)
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608
>
> The dbx fetching code inside the while/for-loop causes code hard to
> understand. Since there's no need to get dbx more than once, this patch
> simplify the code logic by moving related code to be outside the while-
> loop. db fetching code is also refined accordingly to reduce the indent
> level of code.
>
> More comments are also added or refined to explain more details.
>
> Cc: Jiewen Yao
> Cc: Chao Zhang
> Signed-off-by: Jian J Wang
> ---
> .../DxeImageVerificationLib.c | 144 ++
> 1 file changed, 83 insertions(+), 61 deletions(-)
>
> diff --git
> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> index ed5dbf26b0..8739d1fa29 100644
> --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> @@ -1412,76 +1412,92 @@ IsAllowedByDb (
>RootCertSize = 0;
>
>VerifyStatus = FALSE;
>
>
>
> + //
>
> + // Fetch 'db' content. If 'db' doesn't exist or encounters problem to get
> the
>
> + // data, return not-allowed-by-db (FALSE).
>
> + //
>
>DataSize = 0;
>
>Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE,
> , NULL, , NULL);
>
> - if (Status == EFI_BUFFER_TOO_SMALL) {
>
> -Data = (UINT8 *) AllocateZeroPool (DataSize);
>
> -if (Data == NULL) {
>
> - return VerifyStatus;
>
> + ASSERT (EFI_ERROR (Status));
>
> + if (Status != EFI_BUFFER_TOO_SMALL) {
>
> +return VerifyStatus;
>
> + }
>
> +
>
> + Data = (UINT8 *) AllocateZeroPool (DataSize);
>
> + if (Data == NULL) {
>
> +return VerifyStatus;
>
> + }
>
> +
>
> + Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE,
> , NULL, , (VOID *) Data);
>
> + if (EFI_ERROR (Status)) {
>
> +goto Done;
>
> + }
>
> +
>
> + //
>
> + // Fetch 'dbx' content. If 'dbx' doesn't exist, continue to check 'db'.
>
> + // If any other errors occured, no need to check 'db' but just return
>
> + // not-allowed-by-db (FALSE) to avoid bypass.
>
> + //
>
> + DbxDataSize = 0;
>
> + Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1,
> , NULL, , NULL);
>
> + ASSERT (EFI_ERROR (Status));
>
> + if (Status != EFI_BUFFER_TOO_SMALL) {
>
> +if (Status != EFI_NOT_FOUND) {
>
> + goto Done;
>
> +}
>
> +//
>
> +// 'dbx' does not exist. Continue to check 'db'.
>
> +//
>
> + } else {
>
> +//
>
> +// 'dbx' exists. Get its content.
>
> +//
>
> +DbxData = (UINT8 *) AllocateZeroPool (DbxDataSize);
>
> +if (DbxData == NULL) {
>
> + goto Done;
>
> }
>
>
>
> -Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE,
> , NULL, , (VOID *) Data);
>
> +Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1,
> , NULL, , (VOID *) DbxData);
>
> if (EFI_ERROR (Status)) {
>
>goto Done;
>
> }
>
> + }
>
>
>
> -//
>
> -// Find X509 certificate in Signature List to verify the signature in
> pkcs7 signed
> data.
>
> -//
>
> -CertList = (EFI_SIGNATURE_LIST *) Data;
>
> -while ((DataSize > 0) && (DataSize >= CertList->SignatureListSize)) {
>
> - if (CompareGuid (>SignatureType, )) {
>
> -CertData = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof
> (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);
>
> -CertCount = (CertList->SignatureListSize - sizeof
> (EFI_SIGNATURE_LIST) -
> CertList->SignatureHeaderSize) / CertList->SignatureSize;
>
> + //
>
> + // Find X509 certificate in Signature List to verify the signature in
> pkcs7 signed
> data.
>
> + //
>
> + CertList = (EFI_SIGNATURE_LIST *) Data;
>
> + while ((DataSize > 0) && (DataSize >= CertList->SignatureListSize)) {
>
> +if (CompareGuid (>SignatureType, )) {
>
> + CertData = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof
> (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);
>
> + CertCount = (CertList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST)
> -
> CertList->SignatureHeaderSize) / CertList->SignatureSize;
>
>
>
> -for (Index = 0; Index < CertCount; Index++) {
>
> - //
>
> - // Iterate each Signature Data Node within this CertList for
> verify.
>
> - //
>
> - RootCert = CertData->SignatureData;
>
> - RootCertSize = CertList->SignatureSize - sizeof (EFI_GUID);
>
> + for (Index = 0; Index < CertCount; Index++) {
>
> +//
>
> +// Iterate
[edk2-devel] RFC: Use Zoom for the next TianoCore Open Design Meeting
All, We started to use BlueJeans as the meeting service in September 2019 due to the unavailability of Zoom. But we met very bad meeting experience using BlueJeans. The connection is good for attendees from US, Taiwan, but bad for attendees from PRC mainland. It causes interaction between attendees very difficult. I confirmed from Zoom that the service was broken in September 2019 for quite a short time and resumed to normal soon later. I also verified the Zoom meeting with people from Taiwan and US early this week. So, I propose to try Zoom for the next TianoCore Open Design Meeting. If there is no objection by the end of this week, I will update the calendar for next week's meeting to use Zoom. Whether to continue using Zoom for further meetings depends on the experience of the next Zoom meeting. The final decision to permanently switch to Zoom depends on: 1. Next Zoom meeting experience 2. Concerns are raised in or after the meeting but resolved within a week after the meeting Thanks, Ray -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#54349): https://edk2.groups.io/g/devel/message/54349 Mute This Topic: https://groups.io/mt/71237267/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH 4/9] SecurityPkg/DxeImageVerificationLib: avoid bypass in fetching dbx in IsAllowedByDb(CVE-2019-14575)
Reviewed-by: Jiewen Yao
> -Original Message-
> From: Wang, Jian J
> Sent: Thursday, February 6, 2020 10:19 PM
> To: devel@edk2.groups.io
> Cc: Yao, Jiewen ; Zhang, Chao B
>
> Subject: [PATCH 4/9] SecurityPkg/DxeImageVerificationLib: avoid bypass in
> fetching dbx in IsAllowedByDb(CVE-2019-14575)
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608
>
> In timestamp check after the cert is found in db, the original code jumps
> to 'Done' if any error happens in fetching dbx variable. At any of the jump,
> VerifyStatus equals to TRUE, which means allowed-by-db. This should not
> be allowed except to EFI_NOT_FOUND case (meaning dbx doesn't exist),
> because
> it could be used to bypass timestamp check.
>
> This patch add code to change VerifyStatus to FALSE in the case of memory
> allocation failure and dbx fetching failure to avoid potential bypass issue.
>
> Cc: Jiewen Yao
> Cc: Chao Zhang
> Signed-off-by: Jian J Wang
> ---
> .../DxeImageVerificationLib/DxeImageVerificationLib.c | 11 +++
> 1 file changed, 11 insertions(+)
>
> diff --git
> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> index 1efb2f96cd..ed5dbf26b0 100644
> --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> @@ -1459,15 +1459,26 @@ IsAllowedByDb (
> DbxDataSize = 0;
>
> Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1,
> , NULL, , NULL);
>
> if (Status != EFI_BUFFER_TOO_SMALL) {
>
> + if (Status != EFI_NOT_FOUND) {
>
> +VerifyStatus = FALSE;
>
> + }
>
>goto Done;
>
> }
>
> DbxData = (UINT8 *) AllocateZeroPool (DbxDataSize);
>
> if (DbxData == NULL) {
>
> + //
>
> + // Force not-allowed-by-db to avoid bypass
>
> + //
>
> + VerifyStatus = FALSE;
>
>goto Done;
>
> }
>
>
>
> Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1,
> , NULL, , (VOID *) DbxData);
>
> if (EFI_ERROR (Status)) {
>
> + //
>
> + // Force not-allowed-by-db to avoid bypass
>
> + //
>
> + VerifyStatus = FALSE;
>
>goto Done;
>
> }
>
>
>
> --
> 2.24.0.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#54348): https://edk2.groups.io/g/devel/message/54348
Mute This Topic: https://groups.io/mt/71023421/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH 3/9] SecurityPkg/DxeImageVerificationLib: fix wrong fetching dbx in IsAllowedByDb(CVE-2019-14575)
Reviewed-by: Jiewen Yao
> -Original Message-
> From: Wang, Jian J
> Sent: Thursday, February 6, 2020 10:19 PM
> To: devel@edk2.groups.io
> Cc: Yao, Jiewen ; Zhang, Chao B
>
> Subject: [PATCH 3/9] SecurityPkg/DxeImageVerificationLib: fix wrong fetching
> dbx in IsAllowedByDb(CVE-2019-14575)
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608
>
> Normally two times of calling gRT->GetVariable() are needed to get
> the data of a variable: get the variable size by passing zero variable
> size, and then allocate enough memory and pass the correct variable size
> and buffer.
>
> But in the inner loop in IsAllowedByDb(), the DbxDataSize was not
> initialized to zero before calling gRT->GetVariable(). It won't cause
> problem if dbx does not exist. But it will give wrong result if dbx
> exists and the DbxDataSize happens to be a small enough value. In this
> situation, EFI_BUFFER_TOO_SMALL will be returned. Then the result check
> code followed will jump to 'Done', which is not correct because it's
> actually the value expected.
>
> if (Status == EFI_BUFFER_TOO_SMALL) {
> goto Done;
> }
>
> Cc: Jiewen Yao
> Cc: Chao Zhang
> Signed-off-by: Jian J Wang
> ---
> .../Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git
> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> index 5dcd6efed5..1efb2f96cd 100644
> --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> @@ -1456,8 +1456,9 @@ IsAllowedByDb (
> //
>
> // Here We still need to check if this RootCert's Hash is revoked
>
> //
>
> +DbxDataSize = 0;
>
> Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1,
> , NULL, , NULL);
>
> -if (Status == EFI_BUFFER_TOO_SMALL) {
>
> +if (Status != EFI_BUFFER_TOO_SMALL) {
>
>goto Done;
>
> }
>
> DbxData = (UINT8 *) AllocateZeroPool (DbxDataSize);
>
> --
> 2.24.0.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#54347): https://edk2.groups.io/g/devel/message/54347
Mute This Topic: https://groups.io/mt/71023420/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH 2/9] SecurityPkg/DxeImageVerificationLib: reject CertStack.CertNumber==0 per DBX(CVE-2019-14575)
Reviewed-by: Jiewen Yao
> -Original Message-
> From: Wang, Jian J
> Sent: Thursday, February 6, 2020 10:19 PM
> To: devel@edk2.groups.io
> Cc: Yao, Jiewen ; Zhang, Chao B
> ; Laszlo Ersek
> Subject: [PATCH 2/9] SecurityPkg/DxeImageVerificationLib: reject
> CertStack.CertNumber==0 per DBX(CVE-2019-14575)
>
> In case the signers' certificate stack, retrieved from the PE/COFF image's
> Authenticode blob, has zero elements (= there are zero signer certificates),
> then we should consider the image forbidden by DBX, not accepted by DBX.
>
> Cc: Jiewen Yao
> Cc: Chao Zhang
> Signed-off-by: Jian J Wang
> Reviewed-by: Laszlo Ersek
> ---
> .../Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git
> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> index 74dbffa122..5dcd6efed5 100644
> --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> @@ -1326,7 +1326,7 @@ IsForbiddenByDbx (
>// UINT8 Certn[];
>
>//
>
>Pkcs7GetSigners (AuthData, AuthDataSize, , ,
> , );
>
> - if ((BufferLength == 0) || (CertBuffer == NULL)) {
>
> + if ((BufferLength == 0) || (CertBuffer == NULL) || (*CertBuffer) == 0) {
>
> IsForbidden = TRUE;
>
> goto Done;
>
>}
>
> --
> 2.24.0.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#54346): https://edk2.groups.io/g/devel/message/54346
Mute This Topic: https://groups.io/mt/71023418/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH 1/9] SecurityPkg/DxeImageVerificationLib: Fix memory leaks(CVE-2019-14575)
Reviewed-by: Jiewen Yao > -Original Message- > From: Wang, Jian J > Sent: Thursday, February 6, 2020 10:19 PM > To: devel@edk2.groups.io > Cc: Yao, Jiewen ; Zhang, Chao B > > Subject: [PATCH 1/9] SecurityPkg/DxeImageVerificationLib: Fix memory > leaks(CVE-2019-14575) > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608 > > Pointer HashCtx used in IsCertHashFoundInDatabase() is not freed inside > the while-loop, if it will run more than once. > > Cc: Jiewen Yao > Cc: Chao Zhang > Signed-off-by: Jian J Wang > --- > .../Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git > a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > index dbfbfcb4fb..74dbffa122 100644 > --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > @@ -908,6 +908,9 @@ IsCertHashFoundInDatabase ( >goto Done; > > } > > > > +FreePool (HashCtx); > > +HashCtx = NULL; > > + > > SiglistHeaderSize = sizeof (EFI_SIGNATURE_LIST) + DbxList- > >SignatureHeaderSize; > > CertHash = (EFI_SIGNATURE_DATA *) ((UINT8 *) DbxList + > SiglistHeaderSize); > > CertHashCount = (DbxList->SignatureListSize - SiglistHeaderSize) / > DbxList- > >SignatureSize; > > -- > 2.24.0.windows.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#54345): https://edk2.groups.io/g/devel/message/54345 Mute This Topic: https://groups.io/mt/71023417/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH 1/3] FmpDevicePkg/FmpDxe: Issues reported by ECC in EDK2.
Reviewed-by: Liming Gao
> -Original Message-
> From: devel@edk2.groups.io On Behalf Of GuoMinJ
> Sent: Thursday, February 13, 2020 4:34 PM
> To: devel@edk2.groups.io
> Cc: GuoMinJ
> Subject: [edk2-devel] [PATCH 1/3] FmpDevicePkg/FmpDxe: Issues reported by ECC
> in EDK2.
>
> https://bugzilla.tianocore.org/show_bug.cgi?id=2515
>
> Change the FmpDevicePkg to match the ECC check rule
>
> Signed-off-by: GuoMinJ
> ---
> FmpDevicePkg/FmpDxe/Dependency.c | 4 ++--
> FmpDevicePkg/FmpDxe/Dependency.h | 2 +-
> FmpDevicePkg/FmpDxe/FmpDxe.c | 2 +-
> 3 files changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/FmpDevicePkg/FmpDxe/Dependency.c
> b/FmpDevicePkg/FmpDxe/Dependency.c
> index b63a36b989..8f97c42916 100644
> --- a/FmpDevicePkg/FmpDxe/Dependency.c
> +++ b/FmpDevicePkg/FmpDxe/Dependency.c
> @@ -163,8 +163,8 @@ Push (
> /**
>Pop an element from the stack.
>
> - @param[in] Value Element to pop.
> - @param[in] Type Type of element.
> + @param[out] ElementElement to pop.
> + @param[in] Type Type of element.
>
>@retval EFI_SUCCESSThe value was popped onto the stack.
>@retval EFI_ACCESS_DENIED The pop operation underflowed the stack.
> diff --git a/FmpDevicePkg/FmpDxe/Dependency.h
> b/FmpDevicePkg/FmpDxe/Dependency.h
> index a2aaaceeae..badd2542d6 100644
> --- a/FmpDevicePkg/FmpDxe/Dependency.h
> +++ b/FmpDevicePkg/FmpDxe/Dependency.h
> @@ -56,7 +56,7 @@ EvaluateImageDependencies (
>IN CONST EFI_GUIDImageTypeId,
>IN CONST UINT32 Version,
>IN CONST EFI_FIRMWARE_IMAGE_DEP *Dependencies,
> - IN CONST UINT32 DependenciesSize,
> + IN CONST UINT32 DepexSize,
>OUT BOOLEAN *IsSatisfied
>);
>
> diff --git a/FmpDevicePkg/FmpDxe/FmpDxe.c b/FmpDevicePkg/FmpDxe/FmpDxe.c
> index aa92331966..5b523291e4 100644
> --- a/FmpDevicePkg/FmpDxe/FmpDxe.c
> +++ b/FmpDevicePkg/FmpDxe/FmpDxe.c
> @@ -413,7 +413,7 @@ PopulateDescriptor (
> }
> if (!EFI_ERROR (Status) && Image != NULL) {
>IsDepexValid = ValidateImageDepex ((EFI_FIRMWARE_IMAGE_DEP *) Image,
> ImageSize, );
> - if (IsDepexValid == TRUE) {
> + if (IsDepexValid) {
> Private->Descriptor.Dependencies = AllocatePool (DepexSize);
> if (Private->Descriptor.Dependencies != NULL) {
>CopyMem (Private->Descriptor.Dependencies->Dependencies, Image,
> DepexSize);
> --
> 2.17.1
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#54344): https://edk2.groups.io/g/devel/message/54344
Mute This Topic: https://groups.io/mt/71236335/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH 9/9] SecurityPkg/DxeImageVerificationLib: Differentiate error and search result in IsSignatureFoundInDatabase(CVE-2019-14575)
Ack-by : Chao Zhang
-Original Message-
From: devel@edk2.groups.io On Behalf Of Wang, Jian J
Sent: Thursday, February 6, 2020 10:20 PM
To: devel@edk2.groups.io
Cc: Yao, Jiewen ; Zhang, Chao B
Subject: [edk2-devel] [PATCH 9/9] SecurityPkg/DxeImageVerificationLib:
Differentiate error and search result in
IsSignatureFoundInDatabase(CVE-2019-14575)
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608
To avoid false-negative issue in check hash against dbx, both error condition
(as return value) and check result (as out parameter) of
IsSignatureFoundInDatabase() are added. So the caller of this function will
know exactly if a failure is caused by a black list hit or other error
happening, and enforce a more secure operation to prevent secure boot from
being bypassed. For a white list check (db), there's no such necessity.
All intermediate results inside this function will be checked and returned
immediately upon any failure or error, like out-of-resource, hash calculation
error or certificate retrieval failure.
Cc: Jiewen Yao
Cc: Chao Zhang
Signed-off-by: Jian J Wang
---
.../DxeImageVerificationLib.c | 77 ++-
1 file changed, 58 insertions(+), 19 deletions(-)
diff --git
a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
index 5b7a67f811..8e599ca0be 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLi
+++ b.c
@@ -955,17 +955,19 @@ Done:
@param[in] Signature Pointer to signature that is searched for.
@param[in] CertTypePointer to hash algorithm. @param[in]
SignatureSize Size of Signature.+ @param[out] IsFound Search
result. Only valid if EFI_SUCCESS returned - @return TRUE
Found the signature in the variable database.- @return FALSE
Not found the signature in the variable database.+ @retval EFI_SUCCESS
Finished the search without any error.+ @retval Others
Error occurred in the search of database. **/-BOOLEAN+EFI_STATUS
IsSignatureFoundInDatabase (- IN CHAR16 *VariableName,- IN UINT8
*Signature,- IN EFI_GUID *CertType,- IN UINTN
SignatureSize+ IN CHAR16*VariableName,+ IN UINT8
*Signature,+ IN EFI_GUID *CertType,+ IN UINTN
SignatureSize,+ OUT BOOLEAN *IsFound ) { EFI_STATUS
Status;@@ -975,22 +977,28 @@ IsSignatureFoundInDatabase (
UINT8 *Data; UINTN Index; UINTN
CertCount;- BOOLEAN IsFound;// // Read signature database
variable. //- IsFound = FALSE;+ *IsFound = FALSE; Data = NULL;
DataSize = 0; Status= gRT->GetVariable (VariableName,
, NULL, , NULL); if (Status !=
EFI_BUFFER_TOO_SMALL) {-return FALSE;+if (Status == EFI_NOT_FOUND) {+
//+ // No database, no need to search.+ //+ Status =
EFI_SUCCESS;+}++return Status; }Data = (UINT8 *) AllocateZeroPool
(DataSize); if (Data == NULL) {-return FALSE;+return
EFI_OUT_OF_RESOURCES; }Status = gRT->GetVariable (VariableName,
, NULL, , Data);@@ -1010,7 +1018,7 @@
IsSignatureFoundInDatabase (
// // Find the signature in database. //-
IsFound = TRUE;+ *IsFound = TRUE; // // Entries
in UEFI_IMAGE_SECURITY_DATABASE that are used to validate image should be
measured //@@ -1023,7 +1031,7 @@ IsSignatureFoundInDatabase (
Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) Cert +
CertList->SignatureSize); } - if (IsFound) {+ if (*IsFound) {
break; } }@@ -1037,7 +1045,7 @@ Done:
FreePool (Data); } - return IsFound;+ return Status; } /**@@ -1642,6
+1650,8 @@ DxeImageVerificationHandler (
CHAR16 *NameStr; RETURN_STATUS
PeCoffStatus; EFI_STATUS HashStatus;+
EFI_STATUS DbStatus;+ BOOLEAN
IsFound;SignatureList = NULL; SignatureListSize = 0;@@ -1650,7
+1660,7 @@ DxeImageVerificationHandler (
PkcsCertData = NULL; Action=
EFI_IMAGE_EXECUTION_AUTH_UNTESTED; IsVerified= FALSE;-+ IsFound
= FALSE;// // Check the image type and get policy setting.@@ -1792,7
+1802,14 @@ DxeImageVerificationHandler (
goto Failed; } -if (IsSignatureFoundInDatabase
(EFI_IMAGE_SECURITY_DATABASE1, mImageDigest, , mImageDigestSize)) {+
DbStatus = IsSignatureFoundInDatabase (+
EFI_IMAGE_SECURITY_DATABASE1,+ mImageDigest,+
,+
[edk2-devel] [PATCH 1/3] FmpDevicePkg/FmpDxe: Issues reported by ECC in EDK2.
https://bugzilla.tianocore.org/show_bug.cgi?id=2515
Change the FmpDevicePkg to match the ECC check rule
Signed-off-by: GuoMinJ
---
FmpDevicePkg/FmpDxe/Dependency.c | 4 ++--
FmpDevicePkg/FmpDxe/Dependency.h | 2 +-
FmpDevicePkg/FmpDxe/FmpDxe.c | 2 +-
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/FmpDevicePkg/FmpDxe/Dependency.c b/FmpDevicePkg/FmpDxe/Dependency.c
index b63a36b989..8f97c42916 100644
--- a/FmpDevicePkg/FmpDxe/Dependency.c
+++ b/FmpDevicePkg/FmpDxe/Dependency.c
@@ -163,8 +163,8 @@ Push (
/**
Pop an element from the stack.
- @param[in] Value Element to pop.
- @param[in] Type Type of element.
+ @param[out] ElementElement to pop.
+ @param[in] Type Type of element.
@retval EFI_SUCCESSThe value was popped onto the stack.
@retval EFI_ACCESS_DENIED The pop operation underflowed the stack.
diff --git a/FmpDevicePkg/FmpDxe/Dependency.h b/FmpDevicePkg/FmpDxe/Dependency.h
index a2aaaceeae..badd2542d6 100644
--- a/FmpDevicePkg/FmpDxe/Dependency.h
+++ b/FmpDevicePkg/FmpDxe/Dependency.h
@@ -56,7 +56,7 @@ EvaluateImageDependencies (
IN CONST EFI_GUIDImageTypeId,
IN CONST UINT32 Version,
IN CONST EFI_FIRMWARE_IMAGE_DEP *Dependencies,
- IN CONST UINT32 DependenciesSize,
+ IN CONST UINT32 DepexSize,
OUT BOOLEAN *IsSatisfied
);
diff --git a/FmpDevicePkg/FmpDxe/FmpDxe.c b/FmpDevicePkg/FmpDxe/FmpDxe.c
index aa92331966..5b523291e4 100644
--- a/FmpDevicePkg/FmpDxe/FmpDxe.c
+++ b/FmpDevicePkg/FmpDxe/FmpDxe.c
@@ -413,7 +413,7 @@ PopulateDescriptor (
}
if (!EFI_ERROR (Status) && Image != NULL) {
IsDepexValid = ValidateImageDepex ((EFI_FIRMWARE_IMAGE_DEP *) Image,
ImageSize, );
- if (IsDepexValid == TRUE) {
+ if (IsDepexValid) {
Private->Descriptor.Dependencies = AllocatePool (DepexSize);
if (Private->Descriptor.Dependencies != NULL) {
CopyMem (Private->Descriptor.Dependencies->Dependencies, Image,
DepexSize);
--
2.17.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#54340): https://edk2.groups.io/g/devel/message/54340
Mute This Topic: https://groups.io/mt/71236335/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH 3/3] SecurityPkg: Issues reported by ECC in EDK2.
https://bugzilla.tianocore.org/show_bug.cgi?id=2515 Change the SecurityPkg to match the ECC check rule Signed-off-by: GuoMinJ --- SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c | 4 ++-- SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c index 1fe1955cab..9a5f987e68 100644 --- a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c +++ b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c @@ -772,7 +772,7 @@ Tcg2GetEventLog ( return EFI_SUCCESS; } -/* +/** Return if this is a Tcg800155PlatformIdEvent. @param[in] NewEventHdr Pointer to a TCG_PCR_EVENT_HDR/TCG_PCR_EVENT_EX data structure. @@ -783,7 +783,7 @@ Tcg2GetEventLog ( @retval TRUE This is a Tcg800155PlatformIdEvent. @retval FALSE This is NOT a Tcg800155PlatformIdEvent. -*/ +**/ BOOLEAN Is800155Event ( IN VOID *NewEventHdr, diff --git a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c index 7e94a8e1ed..4852d86906 100644 --- a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c +++ b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c @@ -460,7 +460,7 @@ MeasureCRTMVersion ( ); } -/* +/** Get the FvName from the FV header. Causion: The FV is untrusted input. @@ -470,7 +470,7 @@ MeasureCRTMVersion ( @return FvName pointer @retval NULL FvName is NOT found -*/ +**/ VOID * GetFvName ( IN EFI_PHYSICAL_ADDRESS FvBase, -- 2.17.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#54342): https://edk2.groups.io/g/devel/message/54342 Mute This Topic: https://groups.io/mt/71236337/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH 2/3] MdeModulePkg: Issues reported by ECC in EDK2.
https://bugzilla.tianocore.org/show_bug.cgi?id=2515 Change the MdeModulePkg to match the ECC check rule Signed-off-by: GuoMinJ --- MdeModulePkg/Bus/Pci/PciBusDxe/PciEnumeratorSupport.c | 4 ++-- MdeModulePkg/Bus/Pci/SdMmcPciHcDxe/SdMmcPciHci.c | 2 +- MdeModulePkg/MdeModulePkg.uni | 4 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/MdeModulePkg/Bus/Pci/PciBusDxe/PciEnumeratorSupport.c b/MdeModulePkg/Bus/Pci/PciBusDxe/PciEnumeratorSupport.c index f8020f4e72..6c68a97d4e 100644 --- a/MdeModulePkg/Bus/Pci/PciBusDxe/PciEnumeratorSupport.c +++ b/MdeModulePkg/Bus/Pci/PciBusDxe/PciEnumeratorSupport.c @@ -2071,7 +2071,7 @@ InitializeP2C ( PciIo->Pci.Write (PciIo, EfiPciIoWidthUint8, 0x3C, 1, ); } -/* +/** Authenticate the PCI device by using DeviceSecurityProtocol. @param PciIoDevice PCI device. @@ -2079,7 +2079,7 @@ InitializeP2C ( @retval EFI_SUCCESS The device passes the authentication. @return not EFI_SUCCESS The device failes the authentication or unexpected error happen during authentication. -*/ +**/ EFI_STATUS AuthenticatePciDevice ( IN PCI_IO_DEVICE*PciIoDevice diff --git a/MdeModulePkg/Bus/Pci/SdMmcPciHcDxe/SdMmcPciHci.c b/MdeModulePkg/Bus/Pci/SdMmcPciHcDxe/SdMmcPciHci.c index b05c818462..da5559ae76 100644 --- a/MdeModulePkg/Bus/Pci/SdMmcPciHcDxe/SdMmcPciHci.c +++ b/MdeModulePkg/Bus/Pci/SdMmcPciHcDxe/SdMmcPciHci.c @@ -2200,7 +2200,7 @@ SdMmcSoftwareReset ( SD specification section 3.10. @param[in] PrivatePointer to driver private data. - @param[in] TrbPointer to currently executing TRB. + @param[in] Slot Index of the slot for device. @param[in] IntStatus Normal interrupt status mask. @retval EFI_CRC_ERROR CRC error happened during CMD execution. diff --git a/MdeModulePkg/MdeModulePkg.uni b/MdeModulePkg/MdeModulePkg.uni index cc18e53322..2c856ed073 100644 --- a/MdeModulePkg/MdeModulePkg.uni +++ b/MdeModulePkg/MdeModulePkg.uni @@ -1314,3 +1314,7 @@ "when the PCD is TRUE but CPU doesn't support 5-Level Paging." " TRUE - 5-Level Paging will be enabled." " FALSE - 5-Level Paging will not be enabled." + +#string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdTcgPfpMeasurementRevision_PROMPT #language en-US "TCG Platform Firmware Profile revision" + +#string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdTcgPfpMeasurementRevision_HELP #language en-US "Indicates which TCG Platform Firmware Profile revision the EDKII firmware follows." -- 2.17.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#54341): https://edk2.groups.io/g/devel/message/54341 Mute This Topic: https://groups.io/mt/71236336/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [edk2-platforms] [PATCH 4/4] WhiskeylakeOpenBoardPkg/UpXtreme: Add DSC and build files
Hi Prince, Please see my comments inline. Thanks, Chasel > -Original Message- > From: Agyeman, Prince > Sent: Thursday, February 13, 2020 9:38 AM > To: devel@edk2.groups.io > Cc: Chiu, Chasel ; Desimone, Nathaniel L > > Subject: [edk2-platforms] [PATCH 4/4] WhiskeylakeOpenBoardPkg/UpXtreme: > Add DSC and build files > > REF:https://bugzilla.tianocore.org/show_bug.cgi?id=2191 > > Adds the DSC and build files necessary to build the > UpXtreme board instance. > > Key files > = > * build_config.cfg - Board-specific build configuration file. > * OpenBoardPkg.dsc - The UpXtreme board description file. > * OpenBoardPkgPcd.dsc - Used for other PCD customization. > * OpenBoardPkg.fdf - The UpXtreme board flash file. > * OpenBoardPkgBuildOption.dsc - Sets build options Based > on PCD values. > > Co-authored-by: Michael Kubacki > Cc: Chasel Chiu > Cc: Nate DeSimone > Signed-off-by: Prince Agyeman > --- > Platform/Intel/Readme.md | 12 + > .../UpXtreme/OpenBoardPkg.dsc | 448 +++ > .../UpXtreme/OpenBoardPkg.fdf | 708 > ++ > .../UpXtreme/OpenBoardPkgBuildOption.dsc | 154 > .../UpXtreme/OpenBoardPkgPcd.dsc | 409 ++ > .../UpXtreme/build_config.cfg | 35 + > Platform/Intel/build.cfg | 1 + > 7 files changed, 1767 insertions(+) > create mode 100644 > Platform/Intel/WhiskeylakeOpenBoardPkg/UpXtreme/OpenBoardPkg.dsc > create mode 100644 > Platform/Intel/WhiskeylakeOpenBoardPkg/UpXtreme/OpenBoardPkg.fdf > create mode 100644 > Platform/Intel/WhiskeylakeOpenBoardPkg/UpXtreme/OpenBoardPkgBuildOpt > ion.dsc > create mode 100644 > Platform/Intel/WhiskeylakeOpenBoardPkg/UpXtreme/OpenBoardPkgPcd.dsc > create mode 100644 > Platform/Intel/WhiskeylakeOpenBoardPkg/UpXtreme/build_config.cfg > > diff --git a/Platform/Intel/Readme.md b/Platform/Intel/Readme.md > index 02d9517d19..81092633f7 100644 > --- a/Platform/Intel/Readme.md > +++ b/Platform/Intel/Readme.md > @@ -59,6 +59,12 @@ A UEFI firmware implementation using MinPlatformPkg > is constructed using the fol > > ### **Supported Hardware** > > + AAEON > + > +| Machine Name | Supported Chipsets > | BoardPkg | Board Name | > +|| > --|| > +| UP Xtreme | Whiskey Lake > | WhiskeylakeOpenBoardPkg | UpXtreme | > + > Intel > > ***Intel Reference and Validation Platform*** > @@ -233,6 +239,9 @@ return back to the minimum platform caller. >| || > build settings, environment variables. >| || >| ||--WhiskeylakeOpenBoardPkg > + | || |--UpXtreme > + | || |---build_config.cfg: > UpXtreme specific build > + | || > settings environment variables. >| || |--WhiskeylakeURvp >| || |---build_config.cfg: > WhiskeylakeURvp specific build >| || > settings environment variables. > @@ -256,6 +265,9 @@ return back to the minimum platform caller. > **WhiskeylakeOpenBoardPkg** > 1. This firmware project has only been tested booting to Microsoft Windows > 10 x64 with AHCI mode and Integrated Graphic > Device. > +2. UP Xtreme boards might hang during Windows 10 boot. > +3. Not all UP Xtreme boards are supported at this time, only the XXX model Basing on BZ, this XXX should be "SK Hynix memory", would you double check? > has been tested. Board-specific memory > + settings are needed to enable other models. > > ### **Package Builds** > > diff --git > a/Platform/Intel/WhiskeylakeOpenBoardPkg/UpXtreme/OpenBoardPkg.dsc > b/Platform/Intel/WhiskeylakeOpenBoardPkg/UpXtreme/OpenBoardPkg.dsc > new file mode 100644 > index 00..2ab9cb03ea > --- /dev/null > +++ > b/Platform/Intel/WhiskeylakeOpenBoardPkg/UpXtreme/OpenBoardPkg.dsc > @@ -0,0 +1,448 @@ > +## @file > +# The main build description file for the UpXtreme board. > +# > +# Copyright (c) 2020, Intel Corporation. All rights reserved. > +# > +# SPDX-License-Identifier: BSD-2-Clause-Patent > +# > +## > + > +[Defines] > + DEFINE PLATFORM_PACKAGE = MinPlatformPkg > + DEFINE PLATFORM_SI_PACKAGE = CoffeelakeSiliconPkg > + DEFINE PLATFORM_SI_BIN_PACKAGE = CoffeelakeSiliconBinPkg > + DEFINE PLATFORM_FSP_BIN_PACKAGE = CoffeeLakeFspBinPkg > + DEFINE PLATFORM_BOARD_PACKAGE= > WhiskeylakeOpenBoardPkg > + DEFINE BOARD = UpXtreme > + DEFINE PROJECT = > $(PLATFORM_BOARD_PACKAGE)/$(BOARD) > + DEFINE PEI_ARCH = IA32 > + DEFINE DXE_ARCH
Re: [edk2-devel] [PATCH v2 0/3] UefiCpuPkg/CpuFeature: Introduce First to indicate 1st unit.
For the serial: Reviewed-by: Eric Dong -Original Message- From: devel@edk2.groups.io On Behalf Of Ray Ni Sent: Tuesday, November 26, 2019 2:16 PM To: devel@edk2.groups.io Subject: [edk2-devel] [PATCH v2 0/3] UefiCpuPkg/CpuFeature: Introduce First to indicate 1st unit. Ray Ni (3): UefiCpuPkg/RegisterCpuFeaturesLib: Delete CPU_FEATURE_[BEFORE|AFTER] UefiCpuPkg/RegisterCpuFeaturesLib: Rename [Before|After]FeatureBitMask UefiCpuPkg/CpuFeature: Introduce First to indicate 1st unit. .../Include/Library/RegisterCpuFeaturesLib.h | 49 +--- .../CpuCommonFeaturesLib.c| 6 +- .../CpuFeaturesInitialize.c | 74 +++ .../RegisterCpuFeatures.h | 4 +- .../RegisterCpuFeaturesLib.c | 74 ++- 5 files changed, 158 insertions(+), 49 deletions(-) -- 2.21.0.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#54338): https://edk2.groups.io/g/devel/message/54338 Mute This Topic: https://groups.io/mt/61962263/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
